Look, if you were on tech Twitter this week, you saw Chinedu (@chinedu_10) start an absolute war over authentication.
He basically said that if you’re an engineer who can’t build your own auth and you rely on third-party services just because an influencer told you to, you’re "stoopid". That one tweet split the timeline into two very loud camps: the purists who think you're a fake dev if you can't code a login, and the realists who think rolling your own auth is a one-way ticket to a data breach.
These guys are all about the fundamentals. Their logic is pretty simple:
Engineering 101: You shouldn't call yourself an engineer if you don't understand the "least basic" part of architecture, like RBAC (Role-Based Access Control) or JWTs (JSON Web Tokens).
Don't Be a Lego Builder: There is a genuine fear that modern developers are becoming too dependent on "Auth-as-a-Service" (AaaS) and losing the ability to actually code fundamental systems from scratch.
Ownership & Cost: When you build it, you own it. You aren't getting screwed if a third-party service like Auth0 or Firebase hikes its prices—which can be "insane" for a startup—or if they change their business model.
Fine-Grained Control: Custom auth gives you total control over how user info is stored and managed without being forced into a specific vendor's "black box" logic or documentation.
Then you have the people who think "rolling your own auth" is a fast track to getting hacked or going broke.
The Dunning-Kruger Effect: It sounds easy—just comparing a username and a hashed password—until you realize you have to deal with replay attacks, key confusion, code injection, and flawed redirects.
Security is a Nightmare: Senior devs who remember the "pre-Firebase" days call building auth a complete nightmare of security holes and zero best practices. One mistake, like a flawed token rotation or an insecure cookie, can expose your entire system.
Focus on the Money: If you’re a solo dev or a startup, every hour spent on a login button is an hour not spent on the actual business logic that makes your app unique and generates revenue.
Compliance & Audits: Managed providers already have certifications like SOC2 or ISO 27001. For a fintech startup, having an established vendor can actually make your own compliance process much faster because auditors trust proven security experts.
If you follow the "Build It" path, you aren't just making a login form. You are now the full-time security lead responsible for a massive checklist:
Secure Hashing: You must use modern algorithms like Argon2 or bcrypt with unique salts for every user.
Session & Token Life: You have to handle secure token revocation, refresh token rotation, and HttpOnly cookies to prevent XSS and session hijacking.
Modern Standards: You still need to build email verification, password reset flows, MFA (Multi-Factor Authentication), and social logins (like Google/GitHub).
Advanced Complexity: "Simple auth" in 2025 now includes things like passkeys (WebAuthn) and Single Sign-On (SSO) for enterprise customers, which are brutal to debug across different providers.
The smartest take in the whole thread was that any decent engineer should know how to build it, but they should also know better than to do it in most production cases.
Think of it like this: A pilot should know how to fly a plane manually if they have to, but they're still going to use autopilot for a 10-hour flight. Understand the "how" so you aren't just blindly following influencers, but don't let your ego get your user data leaked because you forgot a single edge case in your custom security code.