Skip the third-party stuff and build your own email/password system with a custom backend. I did this on my last app and had way more control over user data and how auth worked. Use Alamofire for network calls and handle email verification server-side. Just send a verification link after someone registers, then validate the token when they click it. Hash passwords with salt, use secure tokens for sessions. Yeah, it’s more work upfront than Firebase or OAuth, but you won’t get locked into a vendor and can customize everything. Just follow OWASP password guidelines and add rate limiting so people can’t brute force your login.