®
PASSWORD HASHING
• Hash: one way, no ability to revert
• Resource intensive
• bcrypt: configure number of rounds
• 2^10: ~80ms -> 12.5/sec per CPU
• 2^12: ~320ms -> 3.125/sec per CPU
Slide 16
Slide 16 text
Expected Response Times
Slide 17
Slide 17 text
Actual Response Times
Slide 18
Slide 18 text
Flamegraphs
Slide 19
Slide 19 text
PASSWORD HASHING SERVICE
AUTH NODE LB
BaaS
BaaS
BaaS
BaaS
Slide 20
Slide 20 text
User Search
Slide 21
Slide 21 text
email.domain:auth0.com
AND logins_count:[0 TO 10}
Slide 22
Slide 22 text
2013
Mongo as
a database
Expose search
Slide 23
Slide 23 text
2015
Problems with case
insensitive search
No ability to search on
metadata fields
Move to
Elastic Search
Slide 24
Slide 24 text
2017
Objects
with many
fields
affected ES
Overly
permissive
query syntax
Moved to
Postgres
Support for
customer
partitions
Remove
ability to
perform some
queries
Search
v3
Slide 25
Slide 25 text
Tap Compare
https://saucelabs.com/blog/the-why-and-how-of-tap-compare-testing
Slide 26
Slide 26 text
WHERE TO HOST?
Slide 27
Slide 27 text
2014: PROVIDE OPTIONS
ON-PREM AWS SINGLE
TENANT
AZURE SINGLE
TENANT
AWS + AZURE
MULTI-TENANT
MULTI-REGION
Slide 28
Slide 28 text
2017
High cost to maintain
another cloud provider
Low probability
of risk
Decision: No
longer Azure on
multi tenant
environment
Slide 29
Slide 29 text
2017: PUBLIC CLOUD AWS ONLY
ON-PREM AWS SINGLE
TENANT
(Auth0 or
Customer)
AZURE SINGLE
TENANT
(Customer Only)
AWS
MULTI-TENANT
MULTI-REGION
Slide 30
Slide 30 text
On-Prem
Hard to sync on updates
Different hardware
● Stateful scaling
● Stateless scaling
Different levels of
access/permissions
Slide 31
Slide 31 text
2019: AWS ONLY
AWS SINGLE
TENANT
(Customer Account)
AWS
MULTI-TENANT
MULTI-REGION
AWS SINGLE
TENANT
(Auth0 Account)
WHY?
● Useful for product discovery
● Does not require changing
core product
● Empowers developers to do
integration/customization
Slide 37
Slide 37 text
WHAT?
● Custom email providers
● New OAuth compliant
identity providers
● Able to treat any
database as an identity
provider
● Custom actions on every
event: login/signup/etc.
Slide 38
Slide 38 text
HOW?
● Custom serverless
platform
● Low latency
● No cold startup
● Sandbox/Isolation
● Limited permission set
Slide 39
Slide 39 text
and
Finally...
Slide 40
Slide 40 text
Build
Learn Measure
The Feedback
Loop
Baseline
Hypothesis
Analyze
Slide 41
Slide 41 text
Gracias
@dschenkelman
Slide 42
Slide 42 text
Te interesa?
https://auth0.com/careers/positions?areas=Engineering