Is Your AI Startup Serious about User Authentication?

ChatGPT has played a significant role in accelerating the AI revolution and bringing numerous AI startups to the forefront. In the first 2023 batch of Y Combinator , 51 out of 183 selected startups are AI startups. These startups are primarily using Generative AI and either building their own AI models or using platforms like ChatGPT to develop various products.

One positive trend that has emerged in these AI startups is that non-tech or non-coder founders are now building products with the help of platforms like ChatGPT or no-code tools. They have come up with excellent use cases, built websites, and used ChatGPT APIs to deliver product experiences. Most of these startups have also kept their business models based on SaaS, charging $1-$50 per month per user.

The exciting aspect of this AI movement is that we are likely to see numerous such products from small teams or individuals who may not have a full-fledged engineering team but can still cater to their niche and earn a good amount of money. They will typically use low-code/no-code software modules to build their entire products, boosting cloud storage usage, no-code server management, and various plugins and UI kits.

From our perspective, we have noticed that these products require user authentication (registration and login modules) if they are charging users. We observed many AI startup websites and found that they either implemented conventional id and password combinations for login or used third-party authentication products like Firebase, Amazon Incognito, and OAuth.

We have seen problems with both approaches and wanted to delve deeper into that. Starting with a normal id-password login is easy, and nowadays, good libraries are available for any stack with which you can implement this kind of login very quickly. However, with time, a simple login flow does not suffice. To keep your user's account safe and secure, you will soon need to incorporate a 2nd level of authentication like OTP or app-based verification. This introduces more complexity in terms of development. Secondly, you need to take care of user management, database management, and authentication-related issues. For a small team or individual person, authentication itself soon becomes a complex module to handle, and they may require dedicated tech resources to manage it. From a user's experience point of view, a normal id-password login works poorly. People already have fatigue with passwords, and a 2019 study conducted by Google highlighted that 75% of Americans are frustrated with passwords.

One of the significant problems associated with managing your authentication by yourself is high susceptibility to data breaches or data leakages. Recently, on 20th March, due to some bugs in the open-source library used in ChatGPT, it caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window. Some users could see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. This was caused by ChatGPT. Now, just think from an AI startup perspective that does not have a big development team to identify and prevent this. Secondly, with all these AI startups flourishing, this will become a breeding ground for hacking-related activities to server-side breaches, phishing attacks, and sms-pumping if you are using sms OTP as second-factor authentication, etc. This will not only put your users' accounts at risk but also cost you heavily in monetary terms.

Now, let's talk about using the complete third-party module like SAML (Security Access Markup Language) and OIDC (OpenID Connect). They provide a means by which users can be authenticated, and user information can be securely transmitted between the system that is doing the authentication, otherwise known as the Identity Provider (IdP), and the service or application the user is trying to access. A simple example is Google-based authentication, which we are all familiar with. Once that kind of module is implemented, the identity provider takes care of the right authentication. Now, there are two things to consider: First, implementing it also requires a fair bit of development capabilities, and second, Identity providers charge up to $0.025 per authentication. Hence, if your user base is growing significantly, say you have 100,000 users, the monthly bill for authentication can go up to $2500 per month. For AI startups that charge very little monthly per user or have a freemium model, this can be an unnecessary big cost.

As AI startups embrace AI innovation wholeheartedly, they should also adopt authentication innovation for their products. One such product is Passkeys based authentication, which is completely password-free, eliminating all the disadvantages we discussed with password-based authentication. It also provides a very seamless user experience as it uses the user's biometric authentication to authenticate them.

Passkeys use public and private keys to verify the user's identity. The public key is shared with the website or app the user wants to sign in to, while the private key is kept secret and safe. Since the private key never leaves the device, hackers cannot access the user's account.

SoundAuth has developed a completely no-code module that any company can use to implement Passkeys based login within one day. We provide authentication as a service, so we take care of all modules related to authentication, including user management. Compared to SAML/OIDC-based login, we are at least five times cheaper. Therefore, if you have a 100,000 user base, you will pay less than $500 per month.

Visit www.soundauth.com for more information.