In my experience, users hate having to come up with yet another username and password, so I try to avoid rolling my own. Also, as you mentioned, there are security risks associated with building your own log-in system. Many consider it a best practice for security to use log-in from others instead, see for example blog.cloudsecurityalliance.org/201..., which lists "Broken Authentication" as the second most serious security risk out of twelve. They say: "It is not recommended that developers build authentication schemes. Instead, they should use authentication facilities provided via the serverless environment or by the relevant runtime."
What to use then? It should be a system that allows users to sign in with more than just one provider. I work for Google, so I've been using Firebase Authentication (firebase.google.com/docs/auth) and have been very happy with it. It makes life easy for the developer and it supports login with Google, Facebook, Twitter and Github. I have also heard good things about Auth0, but I haven't used it myself.
I wonder if there's eventually a middle ground where social authentication can also be controlled by users. As I mentioned in another comment, the biggest downside I see to apps I build is if a user loses access to a social provider (like Google, for example), they also then lose access to your app.
This happened to me with Spotify when I deactivated my Facebook account years ago. And there was no fix but to cancel that Spotify account and create a new one.
In my experience, users hate having to come up with yet another username and password, so I try to avoid rolling my own. Also, as you mentioned, there are security risks associated with building your own log-in system. Many consider it a best practice for security to use log-in from others instead, see for example blog.cloudsecurityalliance.org/201..., which lists "Broken Authentication" as the second most serious security risk out of twelve. They say: "It is not recommended that developers build authentication schemes. Instead, they should use authentication facilities provided via the serverless environment or by the relevant runtime."
What to use then? It should be a system that allows users to sign in with more than just one provider. I work for Google, so I've been using Firebase Authentication (firebase.google.com/docs/auth) and have been very happy with it. It makes life easy for the developer and it supports login with Google, Facebook, Twitter and Github. I have also heard good things about Auth0, but I haven't used it myself.
I wonder if there's eventually a middle ground where social authentication can also be controlled by users. As I mentioned in another comment, the biggest downside I see to apps I build is if a user loses access to a social provider (like Google, for example), they also then lose access to your app.
This happened to me with Spotify when I deactivated my Facebook account years ago. And there was no fix but to cancel that Spotify account and create a new one.
If you want to take the red pill on digital identity this check out the concepts of self-sovereign identity and the sovrin blockchain.
I’ve toyed around with Sovrin. Have mostly used bitcoin-based decentralized identity solutions though.