HackerTrans
TopNewTrendsCommentsPastAskShowJobs

arekkas

no profile record

Submissions

Where Are the Universe's Missing Planets?

scientificamerican.com
3 points·by arekkas·w zeszłym roku·0 comments

comments

arekkas
·w zeszłym roku·discuss
Hello, founder of Ory (https://github.com/ory) here. I‘ve spent 5+ years writing code, never thinking anyone would pay for it. Today, Ory is a healthy business but the road there was extremely stressful.

I‘ve felt the same as you many times over, and I have had bad experiences along the way. In the end it still feels that it was worth it. I get to own and work on things I enjoy.

For me, taking on VC capital was the stepping stone for today‘s success, but that was necessary due to the complexity of IAM and the system criticality it has (single point of failure). It’s essentially impossible to do something like Ory without outside money.

Generally speaking I felt that libraries are harder to monetize than APIs, but looking at your website you already have a service! Monetize the service, keep the OSS free (but maybe don’t make everything OSS).

One thing we open source people are bad at is valuing our own work (because we publish it for free). But experience has shown me that people are willing to pay if the service is valuable enough even if you can get it for free otherwise. So many companies spend 100k, 200k, 2M ln bad software. Why should they not spend 100k with your good product?

If you don’t want to have a boss and don’t want to live on someone else’s terms (yes VCs, customers and others tell you what you SHOULD do, but you can still do it differently and they will applaud you when it works), keep doing what you‘re doing and don‘t be afraid to ask MORE money for it, not less.

To get to 250k to support yourself, you will have to sell a lot of subscriptions. So maybe the value lies elsewhere? Integrations, customization? Number of form fills? Bot protection? Your customers/adopters typically tell you what‘s valuable - but don’t do it all for free!

Looking at your repo it has some traction, but you probably need to build it up a bit more with marketing (wether that‘s cool new tech, or just posting it in the right places is up to you). If you have a couple of companies that are interested in using it and need support, sell them support for 10k, 20k, 30k a year and learn what they need, build it, and sell it to them again. Why build stuff for free if the customer is making money with it?

I believe you can do this!

If you are bootstrapped, don‘t try to mimic typeform subscriptions will only work with sufficient capital and a lot of upselling. Self-service subscription selling is hell and requires huge infra and marketing budgets. Try to find a couple of customers that pay you well and expand from there.
arekkas
·2 lata temu·discuss
We do have all edge cases brought to us solved in terms of account linking and the recent changes further improve the user experience in these scenarios. There are many credential types around these days from passkeys to OTP codes to passwords and OIDC. The biggest challenge is always ensuring the flows are secure which is the hardest part in our view.

ps: I find it a tad frustrating that on every Ory post FusionAuth is shilling in the comments, even if the comment is tangential but clearly intended (through links and name dropping) to draw attention away. It would be much better if FusionAuth focused on releasing open source themselves and truly contributed back to the security community instead.
arekkas
·2 lata temu·discuss
The flow is essentially what you see in the small video on the docs page and can be set up in the Ory Network Console with a few clicks. I agree though that the docs here are a bit thin.

Pricing wise this is available on the Scale tier currently dubbed as "Enterprise SSO" although "B2B Organizations" probably would be more correct: https://www.ory.sh/pricing/

There are no limits to how many organizations you can have.

Regarding MFA - the MFA enforcement typically is the responsibility of the IDP the company owns. So for example [email protected] use Okta and they enforce 2FA for their users. [email protected] use OneLogin and they do not enforce MFA.
arekkas
·2 lata temu·discuss
We have this feature and it is called B2B SSO: https://www.ory.sh/docs/kratos/organizations
arekkas
·2 lata temu·discuss
We have worked quite a lot on making Ory Kratos easier to consume. In the release notes you find ~4 CLI commands you can use to get a fully working Ory Kratos up and running, with all UIs and configuration management :) You should give it another try!
arekkas
·2 lata temu·discuss
Our roadmap for this year has a revamped Ory Elements v2, which will make this a lot less painful!
arekkas
·2 lata temu·discuss
Yes, this is definitely true. However, there are use cases and companies who rely on SMS based two-factor:

- Using SMS for phone verification

- Using SMS for mobile login (think dating apps for example)

- Using SMS for two-factor where other factors are not available / convenient (often in emerging markets)

SIM Swap Attack, SIM Port Hacking are all real, but as always in security it comes down to your threat model to decide what's acceptable risk and what isn't.

Hope this makes sense (maintainer here).
arekkas
·3 lata temu·discuss
Glad to see that you used Ory Keto! :)

Ory does have a managed service offering now for Ory Keto as well!