Never Do Your Own Taxes—or Your Own Auth! (Mostly)

It’s Tax Day. A day of dread for some, an annual routine for others. Can you think of any other financially impactful space where a DIY vs professional choice is so widely debated?

Sure, when you’re just starting out, you can do a lot of things on your own without too much damage. But as you grow and obtain new assets, you may want to hire experienced hands to help you handle the more sophisticated equity. You also need to acknowledge your own limitations in tackling a complex system with a lot of rules, where a simple mistake can cost you a lot of money—or the recruitment of lawyers.

Yes, there is a space as hotly debated as taxes—it’s authentication systems. And the build vs buy similarities between authentication and taxes go even deeper! Both seem simple at first glance, but complications can add up quickly. One mistake can be costly at best or, at worst, land you in court. Deciding which boundaries to push depend on how much risk you’re willing to accept, and getting things right (when assets are large) involves a serious investment of time and research.

Auth and taxes

For many people, filling out a 1040EZ or using tax preparation software is sufficient. What makes most people take the step to buy professional help? The list is long: marriage, starting a small business, owning real estate, multiple jobs or properties, an inheritance; the list goes on…

Authentication systems are less personal, but not far off conceptually. Just getting started? Your authentication needs may be as simple as managing usernames and passwords. You require a fairly basic auth system that your in-house IT team can easily build.

But when your organization begins to grow and diversify, buying a more complex authentication resource begins to make a lot more sense. Again, the list of “buy” triggers is long: handling password reset requests, implementing MFA, selecting the proper hashing algorithm and storing those hashes securely, keeping your TLS implementation up to date and expiring old TLS algorithms, managing sessions, checking for CSRF vulnerabilities, testing all inputs to prevent injection attacks. Note that this list is much longer, yet barely scratches the surface of what’s involved in securing logins!

Do the numbers add up?

As long as the numbers come out correctly, tax preparation is somewhat subjective. I.e., depending on their knowledge and diligence, different tax professionals may have differing opinions on how much a particular person owes in taxes.

But among auth professionals, there is some real consensus on the “right” way to build authentication and authorization, but it’s not easy. Two resources with generally agreed upon examples of the proper way to handle various authentication elements include the OWASP Secure Coding Practices Checklist and Cryptographic Right Answers from Latacora. Both of those resources are good places to start if you’re looking to build out your own authentication system in-house. However, even a quick glance at these pages shows how complicated and involved it is to correctly and safely build out an enterprise-scale authentication system.

So, what’s the logic of buying a solution instead? The benefits are many, and Okta authentication includes them all and more:

  • Get started in minutes: Using Okta’s SDKs and sample code, your development team can implement very quickly.
  • Extensive MFA support: Okta supports a wide range of MFA factors and is continually adding more. Okta’s product and engineering teams read and implement the RFCs and emerging standards—so you don’t have to.
  • Directory integration: Effortlessly integrate with enterprise directories or identity providers using Okta’s directory agents and pre-written connectors. No need to spend time studying packet captures or learning about LDAP!
  • Secure, audited Infrastructure: With a long list of certifications, including FedRAMP and HIPPA, Okta’s solution allows you to meet even the most demanding certification requirements.
  • "Always on” security team: Okta’s security team takes both proactive and reactive measures to keep Okta’s infrastructure secure. These measures range from active vulnerability research, to keeping Okta’s systems up-to-date with the latest patches. Using Okta means that your product roadmap won’t be impacted by unexpected security vulnerabilities.

Build vs buy is not always a simple question. And if you’re still on the fence about the complexities of building out your own authentication system, check out our Build vs Buy whitepaper. It provides concrete data to help you determine how your particular numbers add up. Happy Tax Day!