Well, actually it's not my first day. I got some on my hands so I wanted to push a personal project of mine during that time.
I was imagining myself like a super productive rockstar-ninja-guru-dev but I somehow ended up not progressing as expected. I guess it's because I live in that country:
I'd like to visit this mysterious elusive Island of "Get it done" more frequently, but it's tough traveling there. This is also a reason why I'm starting this #100DaysOfCode, to give myself some regular commitment.
My plan is to write something here every day to maintain some continuity. I also want to show tangible results and daily progress, to force me progressing forward and keeping focused on the task.
So, what is this about? It's about passwordless authentication. A smoother, nicer way to authenticate users using biometrics. It's both more secure and more comfortable. If you want to take a look, check out https://passwordless.id or https://webauthn.io for demos of the emerging webauthn protocol.
I truly believe that offering this as a public service would be a good thing for the world. No more passwords to remember, improved security, no more useless re-registration on every website you want to use. The current thing holding it back in the moment is IMHO the complexity of the protocol itself and that the transition to device based authentication (one user -> multiple device auth keys) requires some time to understand and adapt.
I currently have pieces of UI and pieces of Backend but it's all in a fairly early state. It still needs quite some work.
One thing that is also holding me back is a fundamental decision: to use usernames or e-mails as identifier?
Now, this sounds quite trivial, right? It's just one string or another, right? Actually, this decision has quite a deep impact. They lead to different flows, different capabilities, different server validations and different user perception.
The "e-mail" as identifier is standard. That's also because in traditional systems, you need an e-mail (for the forgot password flow!). But in the passwordless flow, the device itself stores the secret and recovery scenarios might be different: having an additional device "registered" for example.
There is also a fallacy regarding e-mail recovery: it's actually less secure. There is no way to hack the account directly without possessing the authorized device itself. However, if the e-mail is hacked, the account can be hacked too using recovery procedure.
Why am I considering usernames? Well, primarily because users might be more inclined to register using a username rather than an e-mail. That's it. There is nothing more to it. A username is kind of more anonymous, more private, without the risk of getting spam. So perhaps it would be nice to let adding e-mail to the account as optional.
The flow is also different:
- Username based: click create account, press thumb, done
- E-Mail based: click create account, read "mail sent", go to emails, open the link, press thumb, done
The E-Mail based one is slightly more indirect while the username based one should offer a warning "No recovery options are currently enabled. Please add another device, phone number or e-mail in the worst case...".
There are also a few more indirect consequences. For example, using usernames leads to having three fields (username, e-mail, nickname) instead of two. Also, if this somehow turns out to have features like "import all contacts from your organization", e-mails might be more practical than usernames. On the other hand, you might use a single username for multiple e-mails, for example having a private and a workplace one in the same username account. This would automatically share authorized devices ...but this sharing of same devices might be undesirable as well.
One more option would be a kind of hybrid accepting both. But I'm not fan of the added complexity. It makes the whole less intuitive too IMHO.
I'm still quite unsure which one to prefer honestly. Even after writing this the decision is tricky. So let's summarize it.
- Comfort / speed => username
- Privacy / reluctance => username
- Safety / recovery => e-mail
- Secure recovery => other device / SMS
- Interfacing with other systems => e-mail
Tough decision... On one hand, the e-mail is attractive to avoid an extra field, a basic recovery option out of the box, for notifications and external systems. On the other hand, the username based flow is really smooth, with more choices for recovery options, although adding an e-mail really is recommended.
Interestingly, I already asked myself this question long ago but is still remain a difficult choice. I keep swaying from one to the other.