Do you choose the best method of authentication for your situation?
  v5.0 Posted at 18/11/2017 3:59 AM by Tiago Araujo

​Authentication and authorization are complicated, and it is dangerous to try and implement it yourself.  Use this rule for a guide on choosing the right service or framework for your situation.​

Simple and free

If you're looking for a free solution, and most of your users already have an account with either Facebook, Google, Twitter or Microsoft, then an easy solution is to simply use these services for your authentication.  They all provide some external authentication endpoint, either using OpenId Connect or OAuth2.


  • Free
  • Simple to set up
  • Good user experience – often a one-click sign in
  • Plenty of documentation out there


  • People must have an account with an external service
  • No control over accounts or signup process
  • Profile management can tricky – do you use Google's display name or your own?

Simple, managed as a service

There are providers out there which offer server identities and access control.


  • Much more control of access control and user profiles
  • Quick and easy to set up, with plenty of samples
  • Support


  • Costs money for more advanced features
  • Externally hosted, which may not be desired in some enterprises

There are several providers to choose from – here are some of the more popular ones. Be sure to choose ones that fit your situation, as they each have different levels of compliance, features, support, and pricing.

Active Directory

It's not uncommon for an organization to already be using LDAP, and IIS can supply windows identities out of the box. It's quick and easy to set up, but not very powerful and often all-or-nothing.


  • Good user experience
  • No management of users required at all
  • Leverages existing user storage
  • Companies like to use their Active Directory accounts everywhere


  • Role-based authorization can be difficult as the Active Directory API isn't simple 
  • Can be slow, depending on AD setup

Full control

The above options are about delegating identity access and authorization to another party, which may not be a good fit for your enterprise.  If full control over everything is required, then going with Identity Server for authentication and MembershipReboot  for user storage is the best idea.  It does all the heavy lifting, allowing secure, robust and configurable storage of identities with industry standard authentication schemes.  The best part is you don't have to be a security consultant to implement it – though it is a good idea to have a solid understanding of security principals.


  • On-premises
  • Highly configurable
  • Uses industry-standard best practices for security


  • Steep learning curve
  • Takes a lot of development time to implement well
  • Requires vigilance to keep up-to-date to ensure any security issues are addressed as soon as they're raised

Roll your own

One of the more common options for enterprises is to try and roll their own implementation.  This usually results in poor security and difficult to maintain code.


  • Developers feel like they're ninjas for a little while


  • Insecure 
  • Developers stop feeling like ninjas when they realize how complicated it is
  • High-maintenance 
  • Quickly turns into code that everyone wants to avoid
  • Very expensive to develop and maintain
  • Insecure – this needs to be mentioned again.  Security is very difficult to do correctly and best left to experts

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address:


    Note: Social Media login for Yotpo is not working in IE or Safari, please use Chrome. We are waiting for Yotpo to fix it.