Auth is one of those parts of a product you don’t think about until it’s actively costing you velocity. By then it’s usually consumed a sprint you didn’t plan for. Here are the five symptoms to watch for, ordered roughly by how much engineering time each one burns.
1. You’ve added “auth” as a line item on your sprint boards
If your backlog has tickets like “fix password reset edge case,” “handle Google OAuth breaking change,” or “migrate from MD5 to Argon2,” auth is no longer maintenance — it’s feature work. In the wrong column.
The tell: you can point to a specific week in the last quarter where auth bugs took an engineer off the roadmap. Once is bad luck. Twice is a signal.
Fix: consolidate the maintenance. Ship the fixes, audit what caused them (usually: provider API changes you have no warning on), and ask whether this category of work should be someone else’s problem.
2. Sales calls bring up SSO and your answer is “next quarter”
You’ve had three discovery calls this month where a prospect asked “do you support SAML?” and you said something diplomatic about the roadmap. At the end of the call, the deal is conditional on SSO. Two weeks later, they’ve picked a competitor who shipped SAML in their MVP.
The tell: SSO has moved from “would be nice” to “deal-breaker” and you can’t ship it in the close window.
Fix: architect for SSO before a deal requires it. Tenant-aware user model, auth_provider routing, email-as-metadata. With the architecture in place, the actual SAML integration is 2 weeks — small enough to ship inside a typical enterprise sales cycle.
3. Your support inbox is ~30% password reset
Look at the last 100 support tickets. Count the ones about “can’t sign in,” “didn’t get the email,” “reset link doesn’t work.” If that’s more than 10-15%, your auth UX is the product’s weakest feature.
The tell: users who pay you are asking for help with logging in.
Fix: add magic links alongside passwords, make “remember me” default on, move email verification to after the first useful action, and investigate email deliverability. Each one moves the needle 5-10 points.
4. Your database has a // TODO: upgrade password hashing comment
If your password storage is not Argon2id, you know it. Maybe it’s bcrypt at work factor 10 (fine but dated). Maybe it’s SHA-256 (please no). Maybe it’s bcrypt but the cost was set before you had any users and nobody’s touched it in three years.
The tell: someone on the team has winced when the hashing code came up in a PR.
Fix: incremental migration. On next sign-in, verify with the old algorithm; on success, re-hash with Argon2id and update the row. After 90 days of logins, migrate the lazy residue forcibly via a password reset email. No user-visible downtime.
5. Your first enterprise customer would require a rewrite
This is the expensive one. The prospect says “we need SSO and SCIM.” You estimate two weeks. The work starts. Three weeks in, you realize your user model isn’t tenant-aware, your email field is a unique index that can’t be null, and your role model doesn’t survive contact with “50 employees at different departments.” Three weeks becomes three quarters.
The tell: you can’t sketch a one-page doc of how a multi-org user would fit your current schema.
Fix: the rewrite is unavoidable once you’re past a certain scale, but the upfront cost of architecting multi-tenant from day one is 5% of your schema design effort. Retrofitting it is 10× that, under deadline pressure. Do it early.
The common fix
All five of these symptoms share a root cause: auth complexity compounds faster than most teams anticipate, and catching up under pressure is expensive. The lower-friction path is:
- Put auth on a managed provider that handles the protocol layer (PKCE, JWKS, session management) so your team isn’t patching it
- Pick one that’s architected for your future deals (multi-tenant, SAML-ready, SCIM add-on) so the first enterprise customer doesn’t stall
- Pay for what you use, not for every active session (no MAU billing)
That’s what we built LoginWith to be. Two HTML tags for the simple case, full OAuth 2.0 + PKCE SDK when you need more, and a clear upgrade path into enterprise SSO when your deals demand it — without a rewrite along the way.
If two or more of the signs above apply, the fix is cheaper now than in three months. The symptoms compound.