Engineering
Node.js Security Best Practices for Authentication
March 14, 2026
Star us on GitHub and stay updated
Choosing the right authentication solution is one of the most consequential technical decisions you'll make for your app. Get it wrong and you're either rebuilding from scratch 18 months later or patching a home-grown system that never quite covers all your edge cases. Get it right and auth becomes invisible — users sign in, access what they need, and move on.
This guide covers everything you need to evaluate and select authentication solutions: the types of authentication that exist, a practical build-vs-buy framework, a feature checklist, and a side-by-side comparison of the leading platforms including Authgear, Auth0, Okta, Keycloak, Supertokens, and Firebase Auth.
What Is User Authentication?
User authentication is the process of verifying that someone is who they claim to be before granting access to a system. It is the front door of every application.
Authentication answers the question: "Is this really you?" It is distinct from authorisation, which answers: "Are you allowed to do this?" The two are often bundled together in platforms, but they are separate concerns.
A complete authentication system typically handles:
- Credential verification (password, passkey, token, biometric)
- Session management (issuing and revoking tokens)
- Multi-factor challenges (OTP, push notification)
- Identity federation (SSO, social login)
- Token standards (JWT, OIDC, SAML)
Modern apps need all of these, which is why authentication solutions exist as a category in the first place.
Types of Authentication
Password-Based Authentication
The most familiar method: a user enters an email address and a password, the server checks a hashed copy stored in the database, and a session is issued if they match.
Password auth is well-understood but carries significant risk. Weak passwords, credential stuffing attacks, and phishing remain the leading causes of account compromise. If you use passwords, enforce strong-password policies, hash with bcrypt or Argon2, and offer MFA on top.
Passwordless Authentication
Passwordless removes the shared secret entirely. Instead, the user proves identity through something they possess or are. Common passwordless methods include:
- Magic links — a one-time URL sent to the user's email. No password needed; the inbox is the proof of identity.
- Passkeys — cryptographic credentials stored on the user's device, authenticated by a biometric or PIN. Passkeys are phishing-resistant by design because the private key never leaves the device. See our full guide to implementing passkeys with WebAuthn.
- Biometrics — Face ID, Touch ID, or similar device-level biometrics, typically used alongside passkeys rather than as a standalone network-layer authentication method.
Passwordless methods generally have better security properties than passwords and better conversion rates on login flows. They are the direction the industry is moving.
Multi-Factor Authentication (MFA)
MFA requires a second proof of identity on top of the first. The factors are:
| Factor | Examples |
|---|---|
| Something you know | Password, PIN |
| Something you have | TOTP app, SMS code, hardware key |
| Something you are | Fingerprint, face scan |
Common MFA implementations:
- TOTP (Time-based One-Time Password) — apps like Google Authenticator or Authy generate a six-digit code that changes every 30 seconds. Widely supported and does not require a phone number.
- SMS OTP — a code sent by text message. Easy for users but vulnerable to SIM-swapping attacks. Acceptable for low-risk apps; not recommended for high-value accounts.
- Hardware keys — physical devices like YubiKey that implement FIDO2/WebAuthn. The strongest MFA option. See our FIDO2 guide for a detailed walkthrough.
- Push notifications — the user approves a login request in an authenticator app. Good user experience with strong security.
MFA reduces account takeover risk by roughly 99% according to Microsoft's own analysis of compromised accounts in Azure AD. It should be non-negotiable for any app holding sensitive data.
Single Sign-On (SSO)
SSO lets a user authenticate once with a central identity provider (IdP) and access multiple applications without signing in again. The protocols that power SSO are:
- OIDC (OpenID Connect) — the modern standard, built on top of OAuth 2.0. Returns an ID token (JWT) containing claims about the user. This is what most new integrations use.
- SAML 2.0 — the enterprise standard. XML-based and verbose, but deeply embedded in corporate IT. Necessary if your customers are large enterprises using Okta, Azure AD, or Google Workspace as their IdP.
SSO is a key feature for B2B SaaS products. Enterprise buyers often require it as a condition of purchase. If you are building for enterprise customers, plan for SAML from the start — retrofitting it is painful.
You can use our OIDC Discovery Endpoint Explorer to inspect any OIDC provider's configuration.
Social Login (OAuth)
Social login lets users authenticate using an existing account — Google, Apple, GitHub, Facebook, or others. Under the hood, this is OAuth 2.0 with OIDC on top.
Benefits:
- No new password to remember
- Higher registration conversion (one click vs. a full signup form)
- Email is already verified by the social provider
Tradeoffs:
- Users depend on the social provider staying available
- Some users are uncomfortable linking accounts
- Apple and Google have strict privacy requirements that affect how you receive user data
Most apps offer social login alongside email/password rather than as a replacement.
Machine-to-Machine (M2M) Authentication
Not all authentication involves a human. Services, background jobs, and APIs also need to prove their identity. The standard approach is the OAuth 2.0 client credentials flow: the service presents a client ID and secret to the auth server and receives an access token, which it uses to call downstream APIs.
M2M auth is worth thinking through early. If you use the same authentication platform for both users and services, you get a unified token issuance and auditing model — which simplifies compliance.
Build vs. Buy: When Does It Make Sense to Build Your Own Auth?
The instinct to build is natural. Auth feels like it should be straightforward — store a hashed password, issue a JWT, done. In practice, a production-grade auth system involves far more than that.
What "building auth" actually means
A complete in-house authentication system requires:
- Secure credential storage with proper hashing (
bcrypt,Argon2) - Token lifecycle management (issuing, rotating, revoking)
- Session management across devices
- MFA implementation and backup code flows
- Password reset flows resistant to enumeration and timing attacks
- Rate limiting and brute-force protection
- OAuth 2.0 server for social login and M2M
- OIDC provider for SSO integrations
- Audit logging
- GDPR/CCPA-compliant data handling
- Ongoing security maintenance as vulnerabilities are discovered
This is months of engineering work, and it never really ends — new attack patterns emerge, standards evolve, and enterprise customers request features you have not built yet.
When building makes sense
- You have unique authentication requirements that no existing platform supports
- Your threat model requires complete control over credential storage (e.g., a regulated financial institution with specific data sovereignty requirements)
- You are operating at a scale where licensing costs exceed the cost of an internal team
When buying makes sense
For the vast majority of products, an authentication platform pays for itself quickly. You ship faster, your users get a more polished auth experience, and your engineering team focuses on the product instead of auth plumbing.
The "buy" decision also includes open-source self-hosted options like Keycloak or Authgear's self-hosted edition — you run the infrastructure yourself, but you are not writing the code.
A useful rule of thumb: if authentication is not a core differentiator of your product, do not build it yourself.
How to Evaluate Authentication Solutions
Use this checklist when assessing any platform.
Security Features
- MFA support: TOTP, SMS, hardware keys, push notifications
- Passkey / FIDO2 support
- Anomaly detection and bot protection (suspicious login alerts, rate limiting)
- Breached password detection
- Brute-force protection and account lockout policies
- Secure token storage and rotation
- Audit logs with tamper-evident records
Developer Experience
- SDKs for your stack (React, Next.js, iOS, Android, Flutter, etc.)
- Clear, accurate documentation with working code examples
- A local development workflow that does not require hitting production
- Webhooks for auth events (user created, login failed, MFA enrolled) — see our webhooks vs. APIs explainer for background on the pattern
- REST or GraphQL admin API for managing users programmatically
- Active community or responsive support
Compliance and Data Handling
- SOC 2 Type II certification (required by most enterprise buyers)
- GDPR-compliant data processing (EU data residency options if needed)
- HIPAA BAA available (if handling health data)
- Data export: can you get all your user data out if you switch?
- Configurable data retention and deletion policies
Pricing Model
| Model | Watch out for |
|---|---|
| Per monthly active user (MAU) | Costs spike with growth; audit what counts as "active" |
| Per feature (SSO, MFA as add-ons) | SSO gating is common — check if enterprise features are bundled |
| Flat fee / usage-based | Simpler to forecast; check overage pricing |
| Open-source + infrastructure | No licence fee, but factor in engineering and ops time |
Self-Hosted vs. Cloud
Cloud-hosted solutions are faster to start with and require no infrastructure management. Self-hosted gives you complete control over where data lives — important for regulated industries and customers with strict data sovereignty requirements.
Some platforms offer both deployment modes. Authgear, for example, is available as a cloud service or as a self-hosted deployment using Docker or Kubernetes.
Top Authentication Solutions Compared
This is a high-level comparison. Every platform has nuances — treat this as a starting point, not a final verdict. Pricing in particular changes frequently; always check each vendor's current pricing page.
| Platform | Best for | MFA | Passkeys | SSO | Self-hosted | Pricing model |
|---|---|---|---|---|---|---|
| Authgear | Startups to enterprise; apps needing cloud or self-hosted flexibility | Yes (TOTP, SMS, biometric) | Yes | Yes (OIDC + SAML) | Yes (open-source) | MAU-based; free tier available |
| Auth0 | Teams that want a managed cloud solution with a large ecosystem | Yes | Yes (via passkeys) | Yes (OIDC + SAML) | No | MAU-based; can get expensive at scale |
| Okta | Enterprise IT and workforce identity | Yes (comprehensive) | Yes | Yes (OIDC + SAML) | No | Per-user; enterprise pricing |
| Keycloak | Teams comfortable running their own infra | Yes | Yes | Yes (OIDC + SAML) | Yes (open-source) | Free; you pay for infra and ops |
| Supertokens | Developer-first teams; open-source with a cloud option | Yes | Roadmap | Yes (OIDC) | Yes (open-source) | Free self-hosted; cloud is MAU-based |
| Firebase Auth | Mobile-first apps already in the Google ecosystem | Limited (TOTP, phone) | No | Limited | No | Free up to 10K MAU; Google Cloud pricing above |
A closer look at Authgear
Authgear is an open-source authentication and identity platform built for developers. Its key differentiators:
- Flexible deployment: run it on Authgear's cloud or deploy it yourself on any Kubernetes cluster. The codebase is MIT-licensed and available on GitHub.
- Full auth stack out of the box: passkeys, TOTP, SMS OTP, biometric login, social login (Google, Apple, GitHub, and more), SAML and OIDC SSO, and M2M client credentials — all supported without add-on fees.
- Authentication portal: a hosted authentication portal (pre-built login, signup, and MFA screens) that you can brand and embed in your app. No front-end auth UI to build or maintain.
- Admin portal: a web UI for managing users, sessions, roles, and audit logs.
- Developer-friendly: SDKs for React, React Native, iOS, Android, Flutter, and more. A local CLI for development.
For teams that need the flexibility of self-hosting without writing auth from scratch, Authgear is worth a close look.
How to Implement an Authentication Solution
Regardless of which platform you choose, the integration path follows a similar pattern.
Step 1: Define your auth requirements
Before touching any code, answer these questions:
- Who are your users? Consumers, employees, or both?
- What login methods will you support at launch? What might you add later?
- Do you need SSO for enterprise customers now or in the next 12 months?
- What compliance frameworks apply to your product?
- Where do your users' data need to live?
The answers will immediately narrow your platform shortlist.
Step 2: Sign up and configure the platform
Most platforms offer a free tier for development. Create a project, configure your application (web, mobile, or API), and set up the login methods you need. This is also the point to configure redirect URLs, token lifetimes, and branding.
Step 3: Install the SDK
Add the platform's SDK to your frontend and backend. Most modern SDKs handle the OIDC flow for you — you call a login() function, the user is redirected to the authentication portal, and the SDK handles the callback and token storage.
// Example with Authgear React SDK (pseudocode)
import authgear from "@authgear/web";
await authgear.configure({ endpoint: "https://your-project.authgear.cloud", clientID: "..." });
await authgear.startAuthentication({ redirectURI: "https://your-app.com/callback" });Step 4: Protect your routes and APIs
Use the access token issued by the auth server to protect your API endpoints. Your backend should validate the token's signature (using the provider's JWKS endpoint — see the OIDC Discovery Explorer to find it), check expiry, and verify audience claims.
Step 5: Enable MFA
Once base authentication is working, layer in MFA. Configure which factors you want to offer, decide whether MFA is optional or required, and set up recovery flows (backup codes, trusted devices). Test the full flow — including what happens when a user loses their authenticator.
Step 6: Test edge cases
Auth edge cases are where bugs hide. Test:
- Expired tokens and refresh flows
- Concurrent sessions on multiple devices
- Account recovery (lost password, lost MFA device)
- Social login when the provider is unavailable
- Bot and brute-force protection behaviour
Step 7: Go live and monitor
Enable audit logging before you go live. Set up alerts for suspicious activity (high login failure rates, unusual geographic patterns). Review the audit log periodically — it is your primary signal for active attacks.
FAQ
What is an authentication portal?
An authentication portal is a hosted set of UI screens — login, signup, password reset, MFA challenge — provided by your authentication platform. Instead of building these screens yourself, you redirect users to the portal, the auth platform handles the interaction, and then redirects back to your app with a token. Most platforms let you customise the portal's branding (logo, colours, custom domain) so it feels native to your product.
What is the difference between authentication and authorisation?
Authentication verifies identity ("who are you?"). Authorisation determines what that identity is allowed to do ("what can you access?"). Authentication always comes first. Platforms like Authgear handle both through a combination of OIDC tokens and role-based access control (RBAC).
Is it safe to use a third-party authentication solution?
Yes, and for most teams it is safer than building in-house. Dedicated authentication platforms invest heavily in security research, undergo regular penetration testing, and maintain compliance certifications. The risk of a misconfigured in-house implementation typically outweighs the risk of depending on a well-established vendor. For maximum control, choose a self-hosted open-source option where you can audit the code.
What is the best authentication solution for a startup?
It depends on your stack and where you expect to be in two years. For pure consumer apps, Firebase Auth is fast to start with but has limited MFA and no self-hosting. For developer-focused or B2B products where you will eventually need SSO and stronger security, starting with a more complete platform like Authgear or Auth0 avoids a painful migration later. Authgear's free cloud tier makes it easy to start without commitment.
When should I add SSO to my app?
Add SSO when enterprise prospects start asking for it — which usually happens earlier than you expect. The SAML integration requirement is a common deal-breaker for enterprise sales. Building SSO support into your platform choice from day one costs nothing extra; retrofitting it later is expensive. If your roadmap includes any enterprise segment, pick a platform with OIDC and SAML SSO included.
Conclusion
Authentication is not a feature you build once and forget. It is an ongoing investment in user security, developer productivity, and compliance. The right authentication solution removes that burden from your team and lets you focus on what your product actually does.
For most apps, the question is not whether to use an authentication platform — it is which one. Use the checklist in this guide to evaluate candidates against your real requirements, and pay particular attention to SSO support, passkey readiness, and the self-hosted option if data residency matters to you.
Ready to get started? Authgear offers a free cloud tier with no credit card required. You can have a working authentication portal connected to your app in under an hour. Start building with Authgear.
