We have load tested our medium deployments to roughly 20 logins per second. It can vary quite a bit. We ship with PBKDF2 and a factor of 24,000. That configuration is the primary limiter to how many passwords we hash per second.
Tune it up to bcrypt factor 14, and it may take 3-5 second per hash. You can also tune the factor down from the default scheme to increase logins per second - it is a trade-off between security and performance.
It depends, if you’re on an Enterprise hosting plan we can configure a certificate with your domain. So if your app is running at acme.com - we can add a certificate so that you can create a DNS CNAME record to our service using login.acme.com (for example) .
If you have purchased a high availability hosting plan we can configure additional URLs for you - such as login.example.com - and then FusionAuth would be in the same domain as your own application, and you'd be able to verify the domain.
Well, since we're talking about behavior based on a fix that isn't written yet, things are a bit theoretical. 🙂
Here's one approach we'd consider. An expired key pair cannot be used to sign a JWT, so we would either have to generate a new key pair ahead of the expiration, or start failing login operations. The former is a better user experience, so a user will either have to regenerate the key, or we would do it based upon a configured policy.
Also, wanted to be clear that we are aware of this limitation, which is why we set the default expiration period to 10 years (so we have a bit of time to solve this in the best way possible).
Hope this helps. Let me know if you don't have the information you need.
You always get the same features whatever level you are at no matter where you host. That is to say, if you have a premium plan, you can host or we can, the features are the same. If you use the community edition, the features are the same no matter where you host.
We have discussed source code escrow options with clients in the past. We can also offer a source code release clause (in the event FusionAuth goes out of business). However, these are only options if you are on an Enterprise plan with a custom contract.
Hope that helps you make the right decision for your application(s).