When to use Devise vs. Creating my own Authentication

Question

As stated in the title, when should devise be used and when should I, instead, implement my own authentication. In essence, I'm wondering whether the created authentications in some tutorials (such as this one) are secure and safe.

If I don't need email confirmation, recoverability, etc. (a lot of the "jazz" associated with Devise), would the account information be just as secure as if I created my own?

If you still may be confused by what answer I'm looking for – is Devise something you should use whenever possible/whenever you have accounts? Or should it really be a decision?

Note: I'm not specifically referring to Devise, any authentication gems may be replaced.

Answer 1

I used to use gems like Devise until Rails added the has_secure_password to ActiveRecord. Now I always roll my own since in the end I always need some custom stuff that makes it hard to implement in an existing library.

Ryan Bates have an excellent video on just this topic here.

Answer 2

implement my own authentication

Anytime you start thinking whether you should create your own authentication, you need to stop. Take that idea, shred it, douse it with gasoline, and burn it!

Authentication is hard. There are subtleties that exist in authentication and developers that are used to CRUD style programming are going to miss them. This isn't meant to be an insult. I am one of those programmers, and I work in security. Recognize your strengths and weaknesses.

Devise (and most popular authentication frameworks) have had thousands of hours of code review, design, testing, and time in production versus the framework that you're going to roll yourself.

I wrote a blog post about a "smart" security feature that actually made a company's security worse. This is a good example of how subtle authentication and security can be!

Answer 3

In my opinion you should decide it according to your project. If you are working on small web-service with minimalistic functionality you can add your own auth using instruments provided by Rails. But if you are working on so-called "enterprise", big project with fast-growing functionality you should definitely use devise, since with this gem, you will not spend time on building existing auth features, it is very easy in maintenance and secure.