IMHO working out how to handle identity as far as we can should be part of the MVP.
There are just so many things relying on it, adjusting it later will be a huge hassle.
Let me argue against doing our own identity handling - especially passwords - though:
It’s not that it’s impossible or even exceptionally difficult.
It’s just that it’s very easy to do something wrong.
Maybe right now we do have among us the know-how to do it right,
but can you guarantee their standards will be upheld after they left?
Because a lot of “common sense” things in programming don’t apply to crypto.
If somebody messes up the answering process in the future, meh, it’s a bug and we fix it.
If somebody messes up our own password handling, it might be our fault (ethically) that attackers manage to log into someone’s bank account (credential reuse is still rampant).
My suggestion would be to use something like IdentityServer.