How hard is it to implement email verification?
The worst login option is Google and Facebook, because they don’t allow creating separate accounts without identity verification by phone number or by connecting a phone with Google services. For now, other services still allow creating an account without linking your identity, but that won’t last long 😢
How is it login with YouTube and login with Google two different things. It’s the same login.
What website is this?
How hard is it to implement email verification?
Securely? Very fucking difficult.
No it’s not.
securely
Sorry, yes it is. I’d really prefer it if software developers would take this more seriously. Managing user credentials is a high risk burden that you should avoid if possible.
There are open source solutions to handle this effectively, which can be used in most projects; I would change the advice you gave to “ do not roll your own email verification, ever”
I wouldn’t change my advice. Even if you go Argon2id, you still have a creds database to protect. If you let that go it’s just a matter of time before it’s useful.
You could go webauthn, but now we are back to passkey or windows hello or whatever. Which is what I told op, they invented passkey, and it’s Still third party reliance.
Source: I’ve been a software architect for 25 years.
If one cannot protect their database, then there is a lot of other issues going on besides how one authenticates.
Over the years , I’ve read about some security issues with different social logins, and a few of them have been serious. One never knows when the next vulnerability is.
At the end of the day, everything has a vulnerability, and the best way to mitigate against that is best practices, and keeping up with news. That, and a bit of luck.
I have created my own login systems multiple times, and probably violated over a hundred best practices. I don’t know what a best login system looks like, but I have enough experience to find flaws with all of them now. And I am not confident in anything I use. Even if I only use battle tested systems made by large groups of peoples
This is precisely why you should really consider leaning into oauth, your users don’t want another unique password to manage, so guess what, when your creds database gets leaked, it’s not just your site that’s getting screwed.
Look, with new ai tools, security is a very scary place to live. I wouldn’t blow this off. Let the companies that invest millions in it manage this piece for you.
If I don’t have the option to use email or continue as guest I refuse to use whatever the site or app is.
Is bugmenot still a thing?
Died years ago.
Rip
I’ve reached that point as well. Every new thing I sign up for I use an alias email, because I’m certain they’ll sell my shit at some point, and I’d like to be able to know who did it.
I can see how they got there from the implementation side. There’s a library they used for their site, maybe a CMS, where all those choices are just a click away. But for email they have to get their hands on an SMTP server. And that takes non-zero effort.
Exactly this
If i cant log in with an independent email then I’m not logging in.
I had the same problem yesterday as I was investigating tailscale. And while I get it for that service, there’s no reason for some of the other services that ask me to link my other accounts to them as a means of logging in.
No. I will not consolidate my log-in profiles under companies that dont see me as a person, care about my privacy, and are working with hostile governments to track me.
Semi-Anonymous or nothing. Period.
I host my own headscale instead
I believe they have passkey as an option now
I hate that I can’t change the auth method. I’m stuck with github. And for the life of me can’t figure out how to change to anything else. The option is not there were help says it should be, and support doesn’t care. My only choice is to scrap everything and start a new network from scratch.
I feel conflicted. OAuth gets a lot correct in so far as most sites don’t have to deal with a lot of difficult auth bits, but also I don’t like having to rely on big (usually social media) companies to be the auth source.
I think about dnssec a lot.
It feels to me like there should be some form of public key infrastructure where there is a global root key (or short list of) then providers that can issue certificates out to other smaller organizations or individuals who could then use that source of trust to prove who they are. Imagine OAuth but you could just fill in your provider of choice (self hosted?) and if the certs checked out everything would verify correctly.
That being said who does the bits around ensuring that you are who you say you are. I suppose a government body running such a system could work though I sweat at the idea of going to the dmv to reset a forgotten password or report a stolen identity.
Idk maybe if I think about this enough I can come up with a cryptography secure system…
You just invented passkey with oauth.
In the EU, plenty of national ID systems exist. A world where a unified standard exists for these systems and I can just use the “EU login” standard instead of having to rely on a specific (usually American) vendor to manage my auth would be great.
Just as long as it can be run in capitalism!
That’s like every freaking store offering me a “points” plan. All this shit is getting out of hand already.
VK? The Russian porn site?
#feudalism
No login with GitHub or X? Tsk tsk
People need to stop using xitter
I haven’t “used it” in years. I just keep the account alive because of OAuth and other factors.
Right? It’s demented!
Cos fuck you, that’s why.
not 100% related but i think login should be less user friendly
“here take this 512 byte hash and store it and it’s you and if you lose it or have it stolen i couldn’t care less”
email verification is hard to do right (as said in top reply), oauth is annoying to get set up but more secure and all big providers have fancy recovery and login methods
no oauth? get the hash or go away
I very much agree. I’ve always loved how Mullvad VPN and SMSPool have handled logins in this kind of fashion. It’s just much more convenient than e-mail + password.
