Skip to content
EvaluationstakeholdersLast updated 2026-06-09

The build-vs-buy trap: identity is bigger than it looks.

Who feels it

engineeringproduct

What triggers the evaluation

homegrown auth hits technical debt · a security review · a scale incident

Login is the visible 10 percent of identity. The other 90 percent is the unhappy paths: password reset that survives edge cases, token revocation that propagates fast, session management across devices, social-provider quirks, and account recovery for a user who has lost email, phone, and their device at once. Each of these looks small and each is a project.

The trap is that the estimate is made once, optimistically, at the start. Engineering scopes "add login" as a two-week feature, ships the happy path, and then spends the next two years paying down the difference. By the time the team arrives at a CIAM vendor, the homegrown system is not a clean starting point; it is years of accreted logic and half-finished flows that now have to be migrated. That makes the migration workstream worse, not better.

The mature framing is to estimate honestly and early. Cost the unhappy paths, the compliance automation, the peak-load behavior, and the ongoing security surface, then compare that to buying. For most teams the answer is buy, and the signal that build was the wrong call is usually the quarter the auth backlog stops shrinking. See build vs buy and the key concepts buyers actually check.

How teams recognize it

  • Auth was scoped as a sprint and is now a standing team
  • Password reset, token revocation, and account recovery keep reopening
  • Social-provider quirks and session-across-devices bugs never fully close
  • The homegrown system is now a migration liability, not an asset

How to evaluate vendors for this

The exact questions to put to vendors. Match each answer against the capabilities in the comparison below.

  1. 01What does account recovery look like for a user who has lost email, phone, and device?
  2. 02How are sessions revoked across devices, and how fast does revocation propagate?
  3. 03Which unhappy paths (recovery, step-up, breached-password) ship as primitives vs code we own?
  4. 04What is the honest engineering estimate to reach parity on the homegrown system?

Capabilities that solve this

The vendors that cover the capabilities this pain maps to, scored on just those axes. See the full matrix on each vendor profile.

CapabilityAkamai Identity Cloud80% coveredAuth080% coveredAuthentik80% coveredBeyond Identity80% coveredClerk80% coveredCurity80% coveredCyberArk Identity80% coveredDescope80% covered
REST API✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes
SDKsn/an/an/an/an/an/an/an/a
Step-up auth✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes
Self-service account✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes
Brute-force protection✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes

See every vendor ranked for this pain

Related pain points

Keep going