Authr
← The Journal
Perspectives·Sep 18, 2024·5 min

The hidden cost of building auth in-house

ML
Maya Lindqvist
Co-founder & CEO

Somewhere right now, a very good engineering team is estimating an in-house identity platform, and the estimate is defensible: two quarters, six engineers, SAML and OIDC federation, MFA, some admin tooling. I have seen dozens of versions of that document. The estimate is usually even accurate. It is also answering the wrong question, because the cost of identity infrastructure is not the cost of building it. It is the cost of being responsible for it, forever.

Year one is the cheap year

The initial build ships, the demo works, everyone moves on. Then the real backlog arrives on its own schedule. A new acquisition brings a legacy IdP with a nonstandard SAML implementation from 2011. Your largest partner rotates certificates without telling you. A protocol deprecation lands. Passkeys go from curiosity to board question in eighteen months. None of this was in the estimate, and all of it lands on the same six engineers, who by now would rather be working on your actual product, and who have started to leave.

Meridian Bank ran this experiment more honestly than most before becoming a customer. An internal platform, genuinely well built, serving 84,000 employees and 130 federated partners. When they finally audited the true cost, the standing run rate was 14 full-time engineers, and the unfunded compliance and protocol backlog was another two years of work. The build had succeeded. The owning is what broke.

We did not migrate because our platform was bad. We migrated because it was good, and keeping it good was consuming the exact people I needed on problems only our bank could solve.
Rebecca Alvarez, CISO, Meridian Bank

The costs that never make the spreadsheet

  • The 3 a.m. problem: identity is the one system whose outage stops every other system. In-house means your on-call, your postmortems, your SLA math.
  • The audit multiplier: every SOC 2, ISO, and customer security review now includes your homegrown auth in scope, answered by your engineers, annually, forever.
  • The expertise tax: the people who understand the token issuance path become unpromotable in place, then they leave, and the system becomes archaeology.
  • The opportunity cost: the only line that matters. Every quarter spent on auth maintenance is a quarter your competitors spent on product.

When building is still right

Credibility requires saying this plainly: if identity is your product, build it. That is what we did, with the level of investment it actually takes, which today at Authr means hundreds of engineers, 22 edge regions, and a security program that is itself a full-time institution. If identity is not your product, then the build-versus-buy question is really a question about what your best engineers should own for the next decade. We are, unsurprisingly, biased about the answer. But the math is not ours; it is Meridian's, and we are happy to walk you through it in detail. That is what a demo with us actually looks like: less pitch, more spreadsheet.

ML
Maya Lindqvist
Co-founder & CEO, Authr

Writing from inside the identity layer since 2024. For the conversation this post starts, bring it to your next architecture review — or to ours.

More Perspectives

Your security review will ask about identity. Have the good answer.

Talk to an identity architect about your stack, your compliance surface, and your migration path. Technical from the first call.

Enterprise only · No self-serve tier · Typical procurement to production: 6 weeks