Skip to main content

Custom backend login (email/phone/password/OTP)

This option means you implement authentication yourself (or on top of a lightweight auth library), backed by your own database and APIs. Common variants include email/password, phone/SMS OTP, and magic links.

When to choose a custom backend

You already have a backend and want full control over UX, risk rules, and data
You have special requirements (custom roles, complex account linking, bespoke enterprise SSO)
You can invest in ongoing security maintenance (rate limiting, monitoring, abuse prevention)

Pros

Maximum flexibility: you own the data model and UX
No vendor coupling: easier to migrate later
Tight integration with your existing user database and business logic

Cons / gotchas

Security burden: password storage, MFA, rate limiting, bot protection, and incident response become your responsibility
Operational burden: SMS/email deliverability, support workflows, abuse handling
Time-to-market is typically slower than a managed IdP

Implementation notes

Generate and store an internal stable userId (UUID or database ID).
Use that internal userId as your canonical identifier for account-bound data and entitlements.
Ensure account recovery is strong enough that a user can regain access to their account and restore access to account-bound features.

Official documentation (building blocks)

OWASP Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
OWASP Password Storage Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

When to choose a custom backend
Pros
Cons / gotchas
Implementation notes
Official documentation (building blocks)