I'd argue that Auth itself isn't hard per se, but it involves hard things that you shouldn't roll your own, notably cryptography and session handling.
But those are things that people normally delegate to either libraries (crypto) or the framework itself (session handling).
Of course, there's lots of places one can screw up, such as sending non-expirable password reset tokens, revealing private information and membership status via F2A/reset tokens. But those are the kinds of screw-ups that can happen in other parts of the website too.
That said, Devise is one of the few things that I don't completely dislike about Rails.
But those are things that people normally delegate to either libraries (crypto) or the framework itself (session handling).
Of course, there's lots of places one can screw up, such as sending non-expirable password reset tokens, revealing private information and membership status via F2A/reset tokens. But those are the kinds of screw-ups that can happen in other parts of the website too.
That said, Devise is one of the few things that I don't completely dislike about Rails.