In 2020-2021, Divvy sustained multiple attacks from malicious actors. We were using Auth0 as a third party authentication provider but their product was not meeting our needs on multiple fronts. ~70% of our team’s Support tickets were related to authentication. Customers were not happy with the status quo and neither were we.

After an extensive evaluation and two POCs, we decided to build our own authentication service to have complete control over the user experience. We also wanted to maximize internal and security tooling options.

Scope

  • Customer apps (Web and Mobile)
  • Internal app (Houston)
  • Logins and logouts
  • Set and reset passwords
  • Multi-factor authentication
    • SMS/Text
    • TOTP
  • HIBP integration
  • Security layers
  • Internal DMC tooling
  • Fraud tooling

Technical details

  • Argon 2 cryptographic hashing algorithm
  • Paseto-based tokens
  • Token revocation support
  • Proof of Work scripter protection
  • HaveIBeenPwned integration
  • ThreatMetrix integration
  • Canary token support
  • Impossible travel reporting

Over the course of the project, we analyzed every single flow to ensure it was as delightful as possible.

For example, we cycled out new designs by season on both web and mobile login pages. Customers were raving about this because it made an otherwise ordinary login flow unique, interesting, and delightful

Here are some seasonal login page examples on mobile (in both dark and light modes)

Post-launch analysis

Overall, Divvy Auth was a huge success. The launch went off without a hitch. Customers only had to set up MFA (we “lazy migrated” their login credentials ahead of time) and support ticket volume was not significantly impacted.

Authentication started out at Divvy as consistently within the top three support ticket drivers to not being in the top ten post-Divvy Auth.

We also passed a third party pen test following the technical build with flying colors receiving only 3 low priority (and optional) recommendations.

SMS/text reliability

  • Goal = SMS/text failure rate of < 1%
  • Actual = 0.75% failure rate

Authentication Service uptime

  • Goal = 99.99%
  • Actual = 100% uptime in 2021 (compared to 99.89% uptime with Auth0)

Miscellaneous metrics

  • 163 ms average password hash
  • 157,034 MFA factors configured in 2021
  • 4 credential stuffing attacks shut down within 30 minutes in 2021