←back to thread

Better Auth, by a self-taught Ethiopian dev, raises $5M from Peak XV, YC

(techcrunch.com)
282 points bundie | 1 comments | 25 Jun 25 18:07 UTC | HN request time: 0.193s | source
Show context
yodon ◴[25 Jun 25 22:32 UTC] No.44382371[source]
Pretty sure auth is not something I want a self-taught dev (or even most CS-graduate devs) writing.

Oauth2, JWT's, hashes, timestamps, validations, and such, are all totally simple until they're not. The black hats have way more experience and way more time invested in this space than most any normal dev.

replies(8): >>44382542 #>>44382600 #>>44382664 #>>44383532 #>>44383603 #>>44385107 #>>44385540 #>>44459701 #
vmg12 ◴[25 Jun 25 22:53 UTC] No.44382542[source]
Auth is really not difficult to write. It's don't roll your own crypto, not don't roll your own auth. People need to stop spreading this fud.
replies(5): >>44382590 #>>44382617 #>>44383537 #>>44383587 #>>44383602 #
fathomdeez ◴[26 Jun 25 02:01 UTC] No.44383587[source]
I also ran into this trying to upgrade my company's auth strategy. The hardest part of auth is convincing people that... it's not actually as hard or dangerous as they think it is. It was an uphill and ultimately unsuccessful battle of mine. People can't even divorce JWTs as simple, verifiable json data blobs from the entirety of the OAuth2 spec. You see it on HN, with hundreds of circular comment threads and I've seen it in real life.
replies(2): >>44384318 #>>44384353 #
1. jongjong ◴[26 Jun 25 05:02 UTC] No.44384318[source]
Yes, people mix up the concepts of authentication and authorization (access control). Authentication can be really simple if you rely on a standard like JWT.

Authorization is what's difficult and dangerous.