The most-quoted cost of authentication is the initial build. That’s the cost every manager has a number for: “our engineer said 3 weeks.” The number that almost nobody has is the ongoing cost — what authentication costs your engineering team every year, forever.
Here’s the honest math.
Year 0: the build
Initial implementation of a reasonable auth system:
- Sign-up, sign-in, sign-out: 1 week
- Password reset, email verification: 1 week
- OAuth (Google, GitHub): 1 week
- Session management, rate limiting, basic MFA: 1-2 weeks
- Admin tools (user list, impersonation, audit logs): 1 week
Total: 5-7 weeks of engineering, one person. At $2,000/week fully loaded, call it $10-14K.
That’s what shows up in the plan.
Year 1: the surprise maintenance
Month-by-month in year one, roughly:
- Month 2: Google or another provider rotates something; your OAuth breaks; 2 days to debug and fix.
- Month 4: customer reports a password reset edge case; 1 day.
- Month 5: you’re reviewing logs and notice a credential stuffing attempt; 3 days to implement per-account rate limiting.
- Month 7: new customer wants SSO via Okta; 2 weeks for SAML integration.
- Month 9: Chrome rolls out a cookie change; 1 week of debugging and a partial rewrite.
- Month 11: dependency security advisory; urgent update; 1 day.
Year 1 maintenance: ~25 days / 5 engineer-weeks, call it $10-12K.
Year 2-3: the compliance hits
Getting SOC 2 or ISO 27001 means:
- Audit log completeness: 1 week
- Session termination on password change: 2 days (bug you didn’t know you had)
- Key rotation procedure: 3 days
- Role and permission documentation: 1 week
- Password policy alignment with framework: 2 days
- MFA enforcement for admins: 1 week
- Penetration test remediation: 1-2 weeks
Plus ongoing audit prep (annually): 1-2 weeks per year.
Years 2-3 auth cost: 20-30 engineer-days per year, $8-12K.
Year 4-5: the platform effects
By this point your product has:
- A real multi-tenant model (which auth needs to respect)
- Enterprise customers with SCIM requirements
- Passkeys expected by security-aware users
- Regulatory requirements you didn’t have at launch
Years 4-5 auth cost: ~25-35 engineer-days per year, $10-15K.
Totals
Over five years: $48-67K in engineering cost on authentication maintenance, not counting the initial build.
Compare to managed
A managed auth provider at 10k managed users costs $2-6K per year (depending on add-ons and tier). Over five years: $10-30K.
Savings: $20-50K over five years. Plus — this is the bigger number — the 5-7 weeks a year of senior engineering time spent on auth is time not spent on your actual product. If your product would have shipped one more feature or one more customer integration in that time, the business value is much higher than the $50K number.
When building makes sense
Build your own auth only if:
- Authentication is your product (you’re selling an identity service)
- You have a regulatory requirement no vendor supports
- You’re in a context where vendor dependence is unacceptable
Otherwise, the math is unambiguous. Buy it.