What are people using for webapp authentication?
I know I've posted this in a bunch of places a bunch of times, but every single time I come to look for a CIAM service for a project, I'm pretty much overwhelmed with how awful/broken they all are.
My requirements are, in my opinion, very modest. Especially for 2026. And I just can't find any provider that actually works for them:
- Cloud-hosted. I don't want to have to run my own, with all of the privacy and security concerns that comes with.
- Free tier. At least whilst in development.
- I don't mind paying a reasonable amount when live, but I don't want to have to pay whilst I'm still building.
- However, I don't want the paid plans to be overly expensive for an app that's got no income yet.
- Hosted login and signup UIs. These can get complicated fast, especially with things like MFA and Passkeys.
- This likely means proper OIDC flows, but doesn't need to mean that.
- I still want to build my own user profile pages using their APIs, since otherwise the UX will just be jarring.
- No forced requirement to use frontend SDKs. I want my frontend(s) to stay clean and do everything through my own backend.
- This means that there must be APIs for managing everything in the user profile.
- Local auth with password.
- MFA support. At least TOTP.
- It's 2026. MFA is not optional.
- This also needs to support recovery if you lose your second factor. Typically this is through single-use recovery codes but there are other options.
- This is where almost all of the offerings fail.
That seems a pretty basic list, so I'm wondering if anyone here can suggest anything that fits - or at least comes close.
For reference, and I don't want anyone to think I'm just bashing here:
- Cognito - MFA is broken. No support for recovery codes, so if you lose your authenticator app then you're screwed.
- Clerk - OIDC authentication is broken, so you're forced to use the SDK for logging in. Also, some features just aren't possible at all through the APIs - e.g. querying password complexity rules
- Descope - I've not yet been able to work out how to support both password authentication and TOTP. The custom flow that you have to install for password auth to work doesn't prompt for TOTP, which means that's just broken.
- Auth0 - MFA is gated behind the paid tier, and that's expensive. It works out to be over $2k per month to get close to the same user levels that Clerk gives for $20 per month.
- Zitadel - the usage counts are way too low. You only get 100 users before you have to start paying.
And my list does go on, but you get the idea.
Cheers