FusionAuth provides customer identity and access management (CIAM) software for developers, enabling them to authenticate and authorize users for their applications. Key features include single sign-on (SSO), multi-factor authentication (MFA), self-service account management, and breached password detection. Earlier this year, FusionAuth published a research paper called The State of Homegrown Authentication Report: 2025. Pulse 2.0 interviewed FusionAuth Bio founder and CEO Brian Pontarelli to learn more about the research.
Importance Of The Data
Why is this data report significant or helpful to teams? Pontarelli said:
“The Customer Identity and Access Market (CIAM) has historically ignored the practices of the teams building authentication on their own, leaving a scarcity of direct insight into peers’ challenges and successes. In this report, teams building authentication can get a solid sense of where others doing the same thing have found success. Teams building authentication don’t often get to see how others are doing it. This report gives a rare look into what’s working, what’s not, and where the challenges really are.”
Building Authentication In Organizations
Is there anything that stands out in terms of the people tasked with building authentication in their org? Pontarelli shared:
“Teams responsible for authentication tend to be experienced developers, though not necessarily identity experts. The work comes with a high opportunity cost — time and effort that could be spent elsewhere.”
Tools For Homegrown Authentication
Are there particular tools that lend themselves more to homegrown authentication than, say, bringing in a third-party? Pontarelli noted:
“Teams often rely on open-source libraries like Passport.js, bcrypt, and OAuth2 frameworks, which provide flexibility but require more hands-on integration and upkeep.”
Architecture Surrounding Homegrown Auth Implementations
What else can you say about the general architecture surrounding homegrown auth implementations? Pontarelli highlighted:
“Notably, half the teams prefer testing authentication locally, a method not supported by most SaaS-based CIAM solutions, revealing a key disconnect between dev team needs and market offerings.”
Differences Around Building Auth Compared To Using Customer Identity Solutions
Is there anything fundamentally different from those that are building auth themselves and those that use customer identity solutions? Pontarelli pointed out:
“Most CIAM solutions are multi-tenant SaaS only . . . but this report shows that half of teams doing auth actually prefer local testing. This means that the majority of the offerings available in the market are not even able to support the desired testing method of the teams implementing auth… which is a problem.”
Identity Feature Setup
Were there any identity features that folks building their own auth weren’t able to implement on their own? Pontarelli replied:
“Most homegrown teams were not focused on breached password protection or advanced identity features. And passkeys were both a point of familiarity for teams, as well as the biggest point of unfamiliarity, aside from SAML, which is notoriously complex. This suggests a steep learning curve for passkeys. Interestingly, SSO, one of the more common identity features, was in the middle of the pack in terms of familiarity.”
Learnings From The Report
What should teams learn from this report about the future of doing auth themselves? Pontarelli concluded:
“Teams should take away two main things. One, there are plenty of tools out there to help streamline or customize their approach, whether they care more about speed or long-term maintenance. And two, while security was seen as the biggest benefit of building auth in-house, 1 in 5 teams still experienced a breach. That’s a clear reminder that control doesn’t automatically mean safety—it takes real work to keep things secure.”
