At 21RISK we used Auth0 as an authentication provider for multiple years, but decided in the summer 2022 to migrate towards WorkOS. The migration was done in October 2022. WorkOS is very different from Auth0. Where Auth0 is related to both user and session management, WorkOS is only providing authentication as a service. In essence, we forward the user to WorkOS when authentication is required. We have 2 types of authenticaiton flows setup with WorkOS.
We strongly advise all enterprise customers using 21RISK to utlize SSO. In the case the customer is not an enterprise customer, or it’s a simple demo environment, passwordless magic links are used.
Magic links are fare from perfect, and some negative side-effects. Some of the security issues with magic links are discussed in this document , but can be summarized as:
Since the magic link to log the user in to your application is sent to the user’s email, that means that anyone with access to the user’s device could gain access to their account in your app. If a user loses their device, or their device is stolen, a bad actor could obtain the link. Or, if the user’s email password is hacked, the hacker would have access to the magic link as well. Magic links are also vulnerable to man-in-the-middle (MITM) attacks if the users is on an unencrypted network, which would let the hacker steal the token.1
To mitigate the above drawbacks described, we implement the following policies at 21RISK:
- A magic link only works one time.
- Each magic link is only valid for 15 minutes.
- Magic links must be opened by the same browser or device.
WorkOS are industry experts when it comes to SSO. From 21RISK’s perspective, this quote from the WorkOS website summaries well:
This service is compatible with any IdP and supports both the SAML and OIDC protocols. It’s modeled to meet the OAuth 2.0 framework specification, abstracting away the underlying authentication handshakes between different IdPs.2
The SSO flow of WorkOS is described in detail here , but can be summarized as the following:
To make the UX as best as possible, we redirect users based on domain names to the correct SSO provider, if SSO is configured for the given domain.
To make the enterprise experience effortless, we offer directory sync powered by WorkOS
This makes it possible to provision and de-provision employees automatically. This makes it possible to remove users assigned to actions when they are no longer associated with the given organization.
Directory sync is still WIP, but we expect the first features to land end of year, 2023.