← Back to Blogus
Why I Decided to Focus on Security
Image by Freepik

Why I Decided to Focus on Security

6 min read
Ale Heredia
securityauthenticationauthorizationgrant-platform

The decision to focus on security, specifically authentication and authorization, wasn't a sudden epiphany. It emerged from a personal pain point that many developers and security-conscious users face daily: the friction of managing multiple authentication factors across countless accounts.

The Initial Problem

Like many developers, I use Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) for all my accounts. This security best practice, while essential, created a significant usability challenge:

  • Password Manager Overload: Managing hundreds of credentials across personal and professional accounts
  • OTP Code Fatigue: Constantly switching between apps to retrieve time-based one-time passwords
  • Context Switching: Breaking workflow to authenticate into different systems
  • Device Dependency: Being locked out when switching devices or losing access to authenticator apps

The Landscape Shift

While I was exploring solutions to streamline my own authentication workflow, the industry was undergoing a fundamental transformation:

Browser Native Support

Modern browsers started implementing native authentication solutions:

// WebAuthn API - Browser-native authentication
navigator.credentials.create({
  publicKey: {
    challenge: new Uint8Array(32),
    rp: { name: 'Example Platform' },
    user: {
      id: new Uint8Array(16),
      name: 'user@example.com',
      displayName: 'User',
    },
    pubKeyCredParams: [{ alg: -7, type: 'public-key' }],
  },
});

The accelerating deprecation of third-party cookies forced a rethinking of authentication mechanisms. The industry began moving away from tracking-based authentication toward a privacy-first approach. This shift required leveraging cryptographic keys instead of cookies and developing new standards for seamless authentication across domains.

Market Solutions Analysis

As I researched existing solutions, I discovered a diverse ecosystem of mature products:

SolutionTypeKey FeaturesMarket Position
1PasswordCommercialPassword + OTP, Biometric unlock, Cross-platformDominant market share
Mac PasswordsNativeAuto-fill passwords & OTP, iCloud Keychain integrationApple ecosystem
KeePassXCOpen SourceLocal storage, Plugin ecosystem, FreePrivacy-focused users
SAASPASSEnterpriseSSO, Enterprise MFA, Seamless app integrationB2B market

Links: 1PasswordMac PasswordsKeePassXCSAASPASS

What I Learned

Each solution addressed different aspects of the authentication challenge, but none provided the perfect balance I was seeking. 1Password offers excellent UX but comes with vendor lock-in and a subscription model. Mac Passwords provides a seamless experience for Apple users but remains limited to the Apple ecosystem. KeePassXC prioritizes privacy but requires significant technical knowledge to use effectively. SAASPASS excels in enterprise environments but proves too complex for individual use.

This analysis revealed a gap: there wasn't a comprehensive open-source solution that combined enterprise-grade security with developer-friendly APIs and modern usability.

The Research Journey

Instead of building another password manager, I shifted focus to understanding the underlying technologies and standards that power modern authentication systems.

OTP Standards

Researching how One-Time Passwords actually work revealed fascinating details about the cryptographic foundations of two-factor authentication. I discovered two main standards: TOTP (RFC 6238) for time-based OTP using HMAC-SHA1, and HOTP (RFC 4226) for counter-based OTP.

The mathematical elegance of the TOTP algorithm demonstrates how a simple time-based calculation could provide robust security:

// TOTP Algorithm (RFC 6238)
// TOTP = HOTP(K, T)
// where:
//   K = shared secret key
//   T = floor((Current Unix Time - T0) / X)
//   T0 = initial time (usually 0)
//   X = time step (usually 30 seconds)

function generateTOTP(secret, timeStep = 30) {
  const currentTime = Math.floor(Date.now() / 1000);
  const timeCounter = Math.floor(currentTime / timeStep);

  // HOTP calculation using HMAC-SHA1
  const hmac = crypto.createHmac('sha1', secret);
  hmac.update(Buffer.from(timeCounter.toString(16).padStart(16, '0'), 'hex'));
  const hash = hmac.digest();

  // Dynamic truncation
  const offset = hash[hash.length - 1] & 0x0f;
  const binary =
    ((hash[offset] & 0x7f) << 24) |
    ((hash[offset + 1] & 0xff) << 16) |
    ((hash[offset + 2] & 0xff) << 8) |
    (hash[offset + 3] & 0xff);

  const otp = binary % 1000000;
  return otp.toString().padStart(6, '0');
}

Understanding these standards wasn't just academic curiosity—it was essential for building a system that could integrate with existing authenticator apps and meet user expectations.

Compliance Standards

As I dove deeper, understanding compliance requirements became crucial. The authentication landscape is governed by several key standards: FIDO2/WebAuthn provides the foundation for modern passwordless authentication, OAuth 2.0 defines the authorization framework for delegated access, and OpenID Connect adds an identity layer on top of OAuth 2.0. Additionally, NIST Guidelines provide security recommendations that many organizations must follow.

Each standard addresses different aspects of authentication and authorization, and building a platform that supports them all requires careful architectural decisions. The complexity of implementing these standards correctly—not just functionally, but securely—became apparent.

Key Insights

Through this research, several key insights emerged. Standards matter: Building on established standards ensures interoperability and reduces the risk of security vulnerabilities. Security vs. Usability represents a constant tension—the best solutions balance both effectively rather than sacrificing one for the other. I also noticed significant open source gaps: many enterprise solutions lack open-source alternatives, leaving organizations with limited options. Finally, the compliance complexity required to meet security standards demands deep understanding of cryptography, protocols, and regulatory requirements.

Why Building an Auth Platform?

This research journey led me to realize that what the open-source community needs isn't another password manager, but rather a comprehensive authentication platform that supports multiple authentication methods, an authorization framework with fine-grained access control for organizations, standards compliance built on OAuth 2.0, OpenID Connect, and FIDO2, and a developer-friendly approach that makes integration and customization straightforward.

Building such a platform represents an attempt to combine the security of enterprise solutions with the flexibility of open-source projects, the usability of modern native apps, and the compliance requirements of regulated industries. It's an ambitious goal, but one that addresses the gaps I discovered in the existing ecosystem.

Looking Forward

As I continue developing this authentication platform, I'm focusing on several key areas. Multi-Factor Authentication will support TOTP, SMS, Email, and WebAuthn to provide users with flexible security options. The OAuth 2.0 implementation will offer full authorization server capabilities, enabling third-party integrations. Organization Management will support multi-tenancy with granular permissions, making it suitable for teams and enterprises. Most importantly, I'm prioritizing developer experience with clear APIs and comprehensive documentation, because the best security platform is useless if developers can't integrate it easily.

The journey from password manager frustration to building an authentication platform has been enlightening. Stay tuned for technical deep dives into how I'm implementing these standards.

Comments