TL;DR
Auth0 is built for enterprise identity: SSO, SAML, SCIM, compliance. It is excellent at that job, and if your primary need is connecting to Okta, Azure AD, or managing complex identity federations, Auth0 is the right choice. The enterprise plan starts at $23,000/year.
Auth1 is built for fraud prevention at the authentication layer. VOIP phone detection, bot prevention via proof-of-work, device fingerprinting, risk scoring, and real-time carrier lookup are all built into the core product, not bolted on through third-party integrations. The starter plan is free, and paid plans start at $39/month.
The two products solve different problems. This article explains the differences honestly, including where Auth0 is the better choice.
What Auth0 Does Well
Credit where it is due. Auth0 (now part of Okta) has spent over a decade building an enterprise-grade identity platform. Here is what it does better than anything else on the market:
Enterprise SSO and Federation
Auth0's SAML, OIDC, and WS-Fed connectors are battle-tested across thousands of enterprise deployments. If your customers need to authenticate with their corporate identity provider (Azure AD, Okta, PingOne, OneLogin), Auth0 makes this trivially easy. The Universal Login page handles all the federation complexity, and the Enterprise Connection UI lets your customers configure their own IdP without writing code.
SCIM Provisioning
For B2B SaaS selling to large enterprises, SCIM (System for Cross-domain Identity Management) provisioning is a hard requirement. Auth0 supports SCIM 2.0 out of the box, letting enterprise customers automatically provision and deprovision users from their HR systems. This is a compliance requirement for SOC 2 Type II and many enterprise procurement processes.
Rules, Actions, and Extensibility
Auth0's Actions system (which replaced the older Rules engine) lets you inject custom code at every step of the authentication pipeline. Need to enrich tokens with data from your CRM? Add a custom claim based on department? Route users through different MFA flows based on their IP? Actions handle all of these.
Compliance and Certifications
Auth0 holds SOC 2 Type II, ISO 27001, ISO 27018, HIPAA BAA, and PCI DSS compliance. For regulated industries (healthcare, finance, government), this is a hard requirement.
If you are selling to Fortune 500 companies, need SAML federation with 10+ enterprise IdPs, require SCIM provisioning, and have a $50K+ annual auth budget, Auth0 is the right choice. Stop reading here and go sign up for Auth0.
The Gap: Zero Fraud Prevention
Here is the problem. Auth0 is an identity platform, not a fraud prevention platform. It verifies that someone is who they claim to be (authentication) but does not assess whether that person should be allowed to sign up in the first place (fraud prevention).
Auth0 has:
- No VOIP phone detection. A user can sign up with a Google Voice number, verify via SMS, and Auth0 treats it identically to a real Verizon mobile number.
- No carrier lookup. There is no way to distinguish a $0 TextNow number from a $50/month AT&T plan within Auth0's pipeline.
- No bot prevention. Auth0 relies on reCAPTCHA or hCaptcha, which are trivially solved by modern ML-based CAPTCHA farms for $2-3 per 1,000 solves.
- No risk scoring on phone numbers. Every phone number that can receive an SMS passes verification equally.
- No device fingerprinting at signup. Auth0's Adaptive MFA uses device signals for step-up authentication, but not for signup fraud detection.
This is not a criticism. Auth0 was built in 2013 to solve the enterprise SSO problem, and it does that exceptionally well. Signup fraud was not the pressing concern for enterprise B2B SaaS at the time. But the landscape has changed.
A typical B2C SaaS with 10,000 monthly signups and SMS verification on Auth0 sees 15-25% of signups from VOIP numbers. Auth0 passes all of them. Those fake accounts go on to abuse free trials ($3,600-12,000/year in lost revenue), trigger card-testing attacks through Stripe ($1,800-4,800/year in chargebacks and fees), and inflate metrics that drive bad product decisions. Total cost: $5,400-16,800/year in preventable fraud.
Feature Comparison
| Feature | Auth0 | Auth1 |
|---|---|---|
| Email/password auth | ✓ Yes | ✓ Yes |
| Social login (Google, GitHub, etc.) | ✓ 30+ providers | ✓ 8 providers |
| SMS OTP verification | ✓ Via Twilio | ✓ Built-in (Twilio + SNS) |
| VOIP phone detection | ✗ None | ✓ Real-time, 94-97% accuracy |
| Carrier lookup / risk score | ✗ None | ✓ 2,400+ carriers mapped |
| Bot prevention | reCAPTCHA (3rd party) | ✓ PoW BotShield (built-in) |
| Device fingerprinting | Adaptive MFA only | ✓ Signup + login |
| Enterprise SSO (SAML) | ✓ Excellent | ✗ Not yet |
| SCIM provisioning | ✓ Yes | ✗ Not yet |
| MFA (TOTP, WebAuthn) | ✓ Full suite | ✓ TOTP + SMS |
| Custom domain / branding | ✓ Enterprise plan | ✓ All paid plans |
| Webhook events | ✓ Log Streams | ✓ Real-time webhooks |
| Multi-tenant support | ✓ Organizations | ✓ Native multi-tenant |
| SOC 2 Type II | ✓ Yes | In progress (Q3 2026) |
| Passwordless login | ✓ Magic link + OTP | ✓ Magic link + SMS OTP |
Pricing Comparison
Auth0's pricing is opaque by design. The free tier is limited to 25,000 monthly active users (recently increased from 7,500), but useful features like custom domains, SSO connections, and log retention are locked behind paid plans. The "Essential" plan starts at $35/month for up to 500 external MAUs but climbs rapidly.
| Plan Tier | Auth0 Price | Auth1 Price |
|---|---|---|
| Free | $0 (25K MAU, no custom domain, no SSO) | $0 (1,000 verifications/mo, VOIP detection included) |
| Starter / Growth | $35-240/mo (Essential, 500-2500 MAU) | $39/mo (10,000 verifications, full fraud suite) |
| Professional | $240-800/mo (Professional, 1000-10K MAU) | $149/mo (50,000 verifications, priority support) |
| Enterprise | $23,000+/year (custom quote) | $499/mo (unlimited, SLA, dedicated support) |
The pricing models are fundamentally different. Auth0 charges per monthly active user (MAU), which means your auth costs scale linearly with your user base. Auth1 charges per verification event, which means your costs are proportional to signups and login challenges, not total user count. For a SaaS with 50,000 users but only 5,000 new signups per month, Auth1 costs a fraction of Auth0.
A SaaS app with 25,000 MAU and 3,000 new signups/month: Auth0 Professional plan = ~$550/month. Auth1 Growth plan = $39/month. Annual savings: $6,132. And Auth1 includes fraud prevention that Auth0 does not offer at any price point.
What "Fraud-First" Means
The phrase "fraud-first" is not marketing. It describes an architectural decision. In Auth1, every authentication event passes through a fraud evaluation pipeline before the authentication logic runs. The pipeline evaluates:
- Phone carrier lookup — Is this a VOIP number? Which carrier? What is the fraud association rate for this carrier?
- Device fingerprint — Have we seen this device before? Is it a known emulator or virtual machine? What is the browser fingerprint entropy?
- IP reputation — Is this IP associated with known VPN/proxy services? What is the geographic consistency with the phone number area code?
- Velocity checks — How many signup attempts from this IP, device, or phone number prefix in the last hour?
- Risk score computation — All signals combined into a 0-100 score that determines whether the request proceeds, is challenged, or is blocked.
This pipeline runs in under 50ms. It is not a separate product or a third-party integration. It is the authentication system. Every phone verification request returns fraud signals alongside the OTP delivery status.
The Auth0 Workaround (and Why It Doesn't Work)
Auth0 users who want fraud detection typically cobble together a solution using Auth0 Actions:
// Auth0 Post-Registration Action (the workaround) // Problem: phone is already verified by the time this runs // Problem: requires separate API subscription ($99-499/mo) // Problem: adds 200-400ms latency to every signup exports.onExecutePostUserRegistration = async (event) => { const phone = event.user.phone_number; // Call third-party VOIP detection API const res = await fetch( `https://api.ipqualityscore.com/api/json/phone/${API_KEY}/${phone}` ); const data = await res.json(); if (data.VOIP) { // Too late - user is already registered // Best you can do is flag them in metadata api.user.setAppMetadata("voip_detected", true); // Then manually review and delete the account } };
The problem is architectural. Auth0 Actions run after authentication succeeds. By the time your Post-Registration Action fires, the user already has an account, the SMS has been sent (and billed), and the verification is complete. You are doing cleanup, not prevention. Auth1 evaluates fraud before the SMS is sent, which means:
- No SMS cost wasted on VOIP numbers ($0.0075 saved per blocked number)
- No account to clean up (the signup is rejected at the API level)
- No downstream systems polluted with fake user data
- No latency penalty from a third-party API call (the carrier lookup is part of the same request)
Migrating from Auth0 to Auth1
If you decide Auth1 is the right fit, migration is straightforward. Auth1 provides a compatibility layer for the most common Auth0 API patterns:
- Export users from Auth0 using the Management API's
GET /api/v2/usersendpoint (or the bulk export job for large datasets). - Import users into Auth1 via our
POST /api/users/importendpoint. Password hashes are compatible (bcrypt). - Update your frontend to point at Auth1's endpoints. If you are using Auth0's Universal Login, replace it with Auth1's hosted login page or embed Auth1's SDK directly.
- Update your backend to validate Auth1 JWTs instead of Auth0 JWTs. The token format is standard OIDC, so most JWT libraries work without changes.
Most teams complete the migration in 1-3 days. We offer free migration support for teams switching from Auth0.
When to Use Each
Use Auth0 When:
- You sell to enterprise customers who require SAML SSO federation
- You need SCIM provisioning for automated user lifecycle management
- Your compliance requirements include HIPAA BAA or specific certifications Auth0 holds
- You need to connect to 10+ enterprise identity providers simultaneously
- Your auth budget exceeds $20K/year and you need a mature, established vendor
- You need Auth0's extensive Actions marketplace and community extensions
Use Auth1 When:
- Signup fraud (fake accounts, trial abuse, card testing) is a real cost center
- You need VOIP phone detection and carrier lookup built into your auth flow
- You want bot prevention without the UX friction of CAPTCHA
- Your user base is B2C or B2B-SMB and does not need SAML federation
- You want auth + fraud prevention in a single vendor instead of Auth0 + IPQualityScore + reCAPTCHA
- You want to spend $39-149/month instead of $6,000-23,000/year
Use Both When:
Some companies use Auth0 for their enterprise tier (SAML SSO for large customers) and Auth1 for their self-serve signup flow (where fraud prevention matters most). This is a valid architecture. Auth1's API can be used purely as a verification layer before creating accounts in Auth0.
Frequently Asked Questions
Is Auth1 trying to replace Auth0?
No. Auth0 solves enterprise identity management. Auth1 solves signup fraud prevention. There is overlap in basic authentication features (email/password, social login, SMS OTP), but the core value propositions are different. If you need both enterprise SSO and fraud prevention, you can use both products together.
Does Auth0 plan to add VOIP detection?
As of March 2026, Auth0 has no public roadmap item for VOIP detection or carrier lookup. The Auth0 Marketplace includes some third-party integrations (like IPQualityScore), but these run as post-registration Actions, not pre-verification checks.
Can I use Auth1 for just VOIP detection and keep my existing auth?
Yes. Auth1's phone verification API works standalone. You can call it from any authentication system (Auth0 Actions, Firebase Auth, custom auth, Supabase Auth) as a pre-verification check. This is the most common integration pattern for teams that are already on Auth0.
What about Clerk, Supabase Auth, and Firebase Auth?
Clerk is a strong choice for developer experience. Supabase Auth is excellent for the Supabase ecosystem. Firebase Auth is free and tightly integrated with Google Cloud. None of them include VOIP detection or carrier lookup. They all have the same gap Auth0 does: they verify that a phone number can receive SMS, but they do not assess whether that phone number is real.
Is Auth1 open source?
The Auth1 backend is source-available under a BSL license. You can inspect the code, self-host, and contribute. The fraud detection pipeline (carrier database, risk scoring model) is proprietary.