Better Auth, by a self-taught Ethiopian dev, raises $5M from Peak XV, YC

Pretty sure auth is not something I want a self-taught dev (or even most CS-graduate devs) writing.

Oauth2, JWT's, hashes, timestamps, validations, and such, are all totally simple until they're not. The black hats have way more experience and way more time invested in this space than most any normal dev.

Auth is really not difficult to write. It's don't roll your own crypto, not don't roll your own auth. People need to stop spreading this fud.

Yeah it’s not difficult if you know all the specs.

The issue is 99% don’t know them and are not very good at following them. And the cost of error is very high.

I’ve seen a lot of startups that failed to implement even google oauth securely.

So yeah it’s a far cry from fud and you really should not do it unless you are actually good.

I learnt to program (in a very basic way) before doing the whole paper qualification thing. Am I self taught? Is that some kind of signifying badge one loses once one gets a 'proper' education? I also know many people _with_ the paper qualification I wouldn't necessarily trust

Rhetorical questions of course as we all know it's a clickbait title, but perhaps it would be nice for this label to stop being thrown around like it has any real consistent meaning or significance?

What? No!

There are plethora of mistakes one can make in implementing AuthN/AuthZ, and many of them almost immediately will lead to either the direct leak of PII or can form the start of a chain of exploits.

Storing password hashes in an inappropriate manner -> BOOM, all your user's passwords are reversible and can be used on other websites

Not validating a nonce correctly -> BOOM, your user's auth tokens can be re-used/hijacked

Not validating a session timestamps correctly -> BOOM, your outdated tokens can be used to gain the users PII

But given that BetterAuth is an open source project with a large following, and also given that they just got funding so they can hire more help, now we can evaluate BetterAuth's competency in terms of their ability to coordinate help.

None of those things are difficult to do correctly.

> The black hats have way more experience and way more time invested in this space than most any normal dev.

Surely the black hats you refer to are themselves self-taught? They didn't find a school that would teach them about crime, right? In that case it seems like self-taught can be good enough.

Yeah, one would think so. Evidence in the wild shows otherwise.

With 5M you can get white hat audits. Even big boys like Okta have had serious fuckups [1].

[1] https://trust.okta.com/security-advisories/okta-ad-ldap-dele...

It's funny, we've watched for two decades as the click-driven dynamics of the internet have degraded the meanings of words. At first, I was outraged on a daily basis. Then, as we all did, I learned, against my will, to forgive. "Can't blame them for chasing clicks! Who among us wouldn't cheapen a word if it meant a view?"

But - and this is the funny part - I feel like my teen-angsty self has been vindicated. I'm so burnt out on exaggeration, not a single news site has gotten regular clicks from me in over a decade, nor do I comment or read comments. I listen to a little history dork YouTube before bed, or for tutorials. I'm free.

Also, as far as I know, they aren't reimplementing the core auth libraries/specs mentioned

OAuth is very complicated and fuzzy though.

I am not surprised anyone makes mistakes trying to integrate it anywhere.

Black hats have to be right once, white hats have to be right every time.

They can spray and pray, you have to write proofs.

> Storing password hashes in an inappropriate manner

The problem isn't how you store the hash it's how you generate the hash.

So it’s a bad idea, but somehow a guy in Ethiopia writes his own auth and builds a whole company around it and gets $5 million?

I don’t know about you, but most everything I know on those subjects is self taught. University is overrated for computer science.

Auth is actually really hard, with many really subtle high impact mistakes one can make.

Like many others here, I too have degree in computer science, and I will say this much. Not all degrees are created equally. Did I learn a lot? Absolutely. Could I have learned it all on my own? No. Could others learn it all on their own? Absolutely.

That being said, I didn't go to some fancy university -- just a small unheard-of state school of no notoriety. I think I benefited more from the learning environment and structure than from the actual instruction I received. Maybe I would have had better feeling about my degree had I attended a prestigious university, but honestly, most of what I learned was quite surface-level knowledge that came straight from the textbooks anyway.

I feel no superiority over those without a degree. In fact, quite the opposite. I feel a bit of shame that I do not know as much as I probably should despite having a degree.

Fundamentally, I agree with you. A piece of paper doesn't mean much. Based on the interview questions that are commonly asked, it seems like our industry doesn't find degrees that meaningful either.

I also ran into this trying to upgrade my company's auth strategy. The hardest part of auth is convincing people that... it's not actually as hard or dangerous as they think it is. It was an uphill and ultimately unsuccessful battle of mine. People can't even divorce JWTs as simple, verifiable json data blobs from the entirety of the OAuth2 spec. You see it on HN, with hundreds of circular comment threads and I've seen it in real life.

Auth, in my experience, isn't actually that hard to write.

OAuth, or any form of SSO, is not something you want to roll yourself.

Crypto is absolutely not something you want to roll yourself.

Besides being a self-taught developer, Bereket also did at least three years of a university CS program before dropping out to work full-time. Source: his CV.

Plenty of evidence in the wild also shows that programmers in general should never be trusted.

>They didn't find a school that would teach them about crime, right?

The difference between the bad guys and good guys isn't what they've learned. It's how the use what they've learned.

Any cybersec course worth its price tag is going to teach you all about penetration testing, exploits, etc. It's pretty hard to come up with a good defense if you don't learn about how the attacks work.

The short answer: Bcrypt with 12 rounds.

Good enough for almost any startup in 2025.

He must be really good at selling lol

> University is overrated for computer science.

It's mostly overrated, but not entirely so.

The vast majority of software development that I've learned has been outside of school, but there are a couple of core CS (and data science) concepts that I never would've learned if not for uni.

Counterexample: Storing the bcrypt hash by appending it to a CSV file containing the usernames and hashes of all users then having a login process where that CSV file is downloaded to the client and the password is verified locally against that CSV file using client-side JavaScript would probably be very bad.

Cryptography part is fine but storage or the auth process isn't.

You would like to think that no-one would write their app that way, but there are plenty of slightly less worse things that happen in practice and vibe coding probably introduces all sorts of new silliness.

Everything in life is hard there.

> I learnt to program (in a very basic way) before doing the whole paper qualification thing.

This sort of take is disingenuous. No one needs to go to a university to learn the syntax of a programming language, or to build up from a "Hello, world" program. That's not what a university is for.

That's not software engineering either.

In the very least an engineering exposes students to a curriculum which covers the necessary topics which allow someone to be competent at an engineering discipline.

Now, being a salesman and an engineer are two separate skills,so I don't really see a problem in having a "self-taught" programmer pitching a service and a business plan. However, as a prospective customer,having an auth service rolled out by people who clearly are not auth experts... That sounds like multiple downsides bundled with barely no upside.

> Yeah it’s not difficult if you know all the specs.

I don't think this is a valid point. Specs only cover a single responsibility: interoperability. This is not a critical requirement of auth services, unless you have a hard requirement on federated auth.

if blackhat is wrong nobody will hear about it

if software dev/blue team is wrong, it leaves a giant gaping hole in the system open for anyone to exploit 24/7

Yes, people mix up the concepts of authentication and authorization (access control). Authentication can be really simple if you rely on a standard like JWT.

Authorization is what's difficult and dangerous.

I would recommend that people don't do auth not because it's easy to be insecure, it's that auth sometimes needs agility. Auth sometimes needs to grow and adapt just like any other part of your product.

Except that auth might not be a core part of your insurance or tax app, and you'd rather spend your energy on the part of "agility" that has to do with the core parts of your app.

On the flip side I was at a startup using auth0, because as you said, not a core part of the business right? Until the traction hit and they had hundreds of thousands of users. Suddenly the auth bill became untenable - users are great but there wasn’t enough revenue to cover these costs. Auth0 didn’t budge. In fact they were outright nasty to deal with. They were holding our user logins and passwords hostage and they knew it.

You don't have to buy into Okta, you can also lean on auth frameworks like auth.js. Either way you're depending on outside labor to adapt.

I worked for a social media company before and we also rolled our own auth and we didn't regret it. High user accounts are a special case and you should know ahead of time.

But for B2B? Beware. You might get hit with an ask for active directory support.

I'm not criticizing BetterAuth here, but the idea that rolling your own auth is easy.

BetterAuth is likely an improvement against the status quo for many companies if they have already decided to roll their own auth, as it at least already provides pre-made blocks of functionality that are hopefully battle-hardened rather than building completely from scratch.

University is not just "bigger school". It gives you the time and resources to dedicate yourself to study. If you just want to write programs then of course you don't need uni. I could write programs before I went. In fact, I earnt money from it before I graduated, making me a self-taught professional programmer too.

What I came out with was a far broader picture of what's been done in computing and, more importantly, how to find and read information about it. The biggest difference between me and my colleagues who haven't been to uni is when they run across something they haven't done before they are completely lost, whereas I'm usually able to say "hmm, that sounds like a graph problem, I think there's an algorithm for that".

Having said that, what I didn't come out with was how to do testing, version control, CI etc. Luckily that stuff is easy to learn on your first job.

An improvement if their own approach would be worse than 'get a single self taught guy to roll something out'. If it's roughly the same it shouldn't be any improvement.

Strong disagree. University is not overrated for computer science, maybe it is overrated for vocational training. Because what we are discussing here is not computer science, but craft.

Anyway, the students grokking computer science are usually the better craftsmen, too.

As soon as a self-taught-dev can't write this anymore and auth is fully in the hands of only big corps, I'm pulling the plug.

Yes, a self-taught-dev should not write their own hashing-algorithms and so on, sure. But if Oauth2 is so complicated and hard to get right (and test), well then maybe the standard isn't so great.

Argon2 with defaults. Stronger and easier.

I agree completely, which is why it's enlightening to read implementations of crypto. These are often short, seemingly simple, self contained sections of code that have to be as close as possible to perfect. Even simple things like constant time comparison algorithms are beautiful little crystal palaces of code.

It’s not easy, but it’s not impossible either.

If you’re just a developer who works on CRUD apps all day or never touches a backend then yea you probably don’t have the skills but auth is a solved problem and you can learn to do it right. A team of engineers can definitely put together an auth system.

It really depends on what you're doing. Many graduates I worked with and people from academia always wrote code so convoluted and abstracted it was impossible to follow. In the end it had the same bugs and their code was replaced with something a tenth of the size within months of them leaving.

I consider it a red flag when people say this. Security is everybody's responsibility, and if you can't implement, say, oauth2, something that has a clear specification and dozens of implementations to learn from on Github, then I can't trust you to handle the day-to-day freeform work.