The Good Tech Companies - Modern Authentication Isn’t Enough on It's Own
Episode Date: May 23, 2025This story was originally published on HackerNoon at: https://hackernoon.com/modern-authentication-isnt-enough-on-its-own. Modern authentication improves login experienc...es, but it’s not true modernization. Learn why SSO alone isn’t enough. Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #authentication, #authorization, #sso, #oidc, #identity-and-access-management, #policy-management, #app-modernization-strategy, #good-company, and more. This story was written by: @strataidentity. Learn more about this writer by checking @strataidentity's about page, and for more stories, please visit hackernoon.com. When people say their app is modernized, it just means the app now supports SSO. Authorization is still coded deep in the app, just with a better login page. People assume SSO takes care of it, but it doesn’t.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Modern authentication isn't enough on its own, by straight-A identity.
When I hear someone say they've modernized an application,
it usually means they've enabled SAML or OIDC. Maybe both. In their minds, they've checked the
box, single sign on SSO is working, users are happy, and security must be better. Right?
SSO does simplify access and reduce friction. But here's what worries me. Too many teams stop there.
They implement SSO and assume the hard part's over. Boot and practice, that's when the real
complexity starts to surface. Why, we modernized, doesn't always mean what you think. When people
tell me their app is modernized, I ask what that really means.
In many cases, it just means the app now supports SSO.
It still uses the same internal session logic.
Authorization is still coded deep in the app.
It's still brittle, just with a better login page.
What's happening here is more common than most admit.
We modernize the front door and leave the rest of the house unchanged.
And that's a problem, because identity isn't just about logging in.
It's about what happens after.
What modern authentication actually delivers modern auth protocols like SAML and OIDC were
designed to solve real challenges, mainly login and federation.
When they're in place, users no longer need to juggle passwords,
and IT doesn't have to manage every credential manually. That's real progress. And yes,
SSO through these protocols improves security posture. But let's not confuse convenience with
completeness. Protocols are progress, but they're not the finish line didn't get me wrong.
Adding support for OIDC or SAML is progress. You get fewer passwords,
less friction, and a more consistent user experience. What they don't provide are the
other critical controls we relied on with Web Access Management, WAM, systems, centralized session
control, authorization enforcement, directory integration, and consistent policy handling.
WAM systems weren't perfect, but they gave us a consistent control layer across applications.
When we removed them without replacing that layer, we lost something essential, and I've
seen the consequences firsthand.
The app isn't modern if identity is still hard-coded of scene apps that look slick on
the surface but still rely on fragile, developer-specific identity plumbing behind the scenes.
In these cases, adding SSO doesn't address the real risk, inconsistent behavior across apps and environments.
Some teams are still using outdated session libraries.
Others are hard-coding access rules in ways that make auditing a nightmare.
The protocol is modern, the implementation, not so much.
Where things fall apart, session management.
One of the biggest identity blind spots in modernized environments is session management.
People assume SSO takes care of it, but it doesn't.
With WAM, session behavior, timeouts, renewals, revocations, was handled in one place.
You could apply a policy change and know it'd take effect enterprise-wide.
Today, session logic is embedded inside every individual app, scattered across different
languages and frameworks. I've worked with teams using Spring, Node, JS, Rails, and even within
one framework, there's no guarantee of consistency. Each app ends up with its own config, its own
quirks, and its own security gaps.
Not being able to enforce consistent session timeouts is a huge risk if they can't revoke
sessions when something suspicious happens.
That's all still up to the application, and most dev teams aren't set up to handle that
well at scale.
The cost of decentralizing session logic when patching session libraries takes weeks or
months, or no one knows where idle timeouts are defined, security becomes reactive at best.
You lose the ability to revoke sessions in real time or roll out a policy change globally.
This isn't theoretical.
I've seen companies struggle just to track down how their session handling even works.
It's become tribal knowledge, hidden deep in app code.
That's not sustainable, especially for enterprises dealing with compliance or zero trust goals.
Identity sprawl and authorization drift the same thing that happens with session logic
happens with authorization.
Once it's pushed down into application code, it becomes nearly impossible to manage centrally.
Rules get buried in business logic, policies drift, and eventually, no one knows exactly who has access to what, or why.
Even apps that support modern authentication can fail here, because AuthZ isn't part of the protocol.
It's a separate challenge entirely, and it's one many teams don't fully account for.
Orchestration needs to come next. At this point, I think it's clear. Modern authentication is just one piece of the puzzle.
Identity orchestration can help bridge the gap.
It brings back the central control we had with WAM,
but it works across today's cloud-first, app-diverse environments.
The benefits of using orchestration include
regaining the ability to revoke sessions instantly,
applying session and auths policies consistently.
Managing federation keys and certs from one place.
Integrating with risk signals, like CAEP, to support zero trust.
And doing it all without rewriting apps or switching identity providers.
Orchestration bridges the gap between
modern protocol support and real identity modernization.
Centralization doesn't mean going backward.
Sometimes people assume that bringing identity control back
into one place is a step back.
But that's not what orchestration is about.
It's about enabling agility, about giving security teams the visibility
they need without slowing down developers.
About managing identity as a service, Node is a series of app-specific hacks.
When you don't have orchestration, every identity challenge becomes a one-offix.
With orchestration, you get a strategy. If I'm talking to a security team, I'll usually pose a question like this.
How quickly could you revoke a user's sessions across every app in your enterprise right now?
If the answer is anything less than, instantly, there's a problem worth solving.
The takeaway? Don't stop at SSO. I'll say it plainly. Modern authentication is essential,
but it's incomplete. If you stop at SSO, you're missing the control layer that makes
everything else work, securely, consistently, and at scale.
So yes, adopt SAML. Roll out OIDC, but don't let the login box be the finish line.
SSO and SAML alone do not make a modern application. If you want real security,
orchestration has to be part of the journey. About the author Darren Platt has led engineering teams
at Securrent Technologies, Ping Identity, Simplified, RSA, and Oracle. He is now the VP of Product Management and Engineering at Strait Identity, where he is
building the first distributed identity orchestration platform for distributed environments and
contributing to the new policy orchestration standard, IDQL and its reference software
Hexa.
Thank you for listening to this Hacker Noon story, read by Artificial Intelligence.
Visit HackerNoon.com to read, write, learn and publish.