DEV Community

loading...

Discussion on: why social logins are a bad idea - dev.to please keep your native login enabled

Collapse
derek profile image
derek

💯! This is a great point of view!

However, it’s increasingly more difficult in cost, complexity, and legally to roll your own Authentication/Authorization especially with all the new privacy laws; GDPR, CCPA, etc.

What is your opinion on sound alternatives to both oAuth and email/pass?

Collapse
c33s profile image
Julian Author

it’s increasingly more difficult in cost, complexity, and legally to roll your own Authentication/Authorization

is it really that expensive? i don't know which programming language/framework your are using, i use symfony and it ships a mature security component with the ability to auto-migrate passwords to the most current standard on access. so it's a drop in solution. so the cost is not that big. i am event not that sure that a social login is cheaper to implement. they change api and you have to invest time/money to catch up, often with no time to plan.

especially with all the new privacy laws; GDPR, CCPA, etc.

same start as for the other part, is it really that difficult? simply do not track, add a firewall to your server, do not misuse the user data (email), hash/crypt the password, do not send plain text passwords via email, describe in your dataprotection legal text for what the email is (login) and you are done. good dataprotection texts are often only a few sentences long and can be understand by a child. so no big legal costs here.

dev.to already stores the email address from github in their database, just tried it, i revoked the permission on github side and the email is still on
dev.to haven't found a way to disconnect my github account. so the only thing which additionally has to be stored is the hashed/crypted password.

from gdpr perspective it's more a problem that i can't remove my github data (email) from dev.to than to store a hashed password on a server which is firewalled. a login also can be with username and password so no personal data at all (of course with the cost of not being able to reset a forgot password).
i am no security expert from mathematical point of view but this is, most of the time, not required. very big breaches are because people use cloud services, which are build from startups, where security is not even a basic citizen. aws instances and buckets are "clicked up" by a gui and they simply have no firewall. companies use passwords for their master account like "companyname2020!".

What is your opinion on sound alternatives to both oAuth and email/pass?

in my opinion email/password is unbeatable (together with a 2FA with TOTP (not sms)). today people can "easily" create "deep fakes". on mobile phones face locks can be opened by photos or sibilings, fingerprint scanner also don't work well. a good password like yvwJhmpO-vb3MD@y7%qaJuETx6t7pX is the most secure way to secure an account. i even think that a handwritten signature is very unsafe, it can be photoshoped on documents where a digital signature is quite safe.

the only problem are users choosing weak passwords which they reuse :)

Collapse
derek profile image
derek • Edited

My question was in the specific context of implementation in a product.

I think gone are the days where we can quickly roll out a simple auth strategy as such. Which is the reason why Auth0, okta, firebase, and the oAuth2 protocol in general are so popular.

I think 2020 and beyond a “successful” auth strategy and implementation would be accompanied with a security accreditation from a third party audit.

Also on the many projects I work on, we constantly have an open feedback loop with legal teams to make sure we’re in compliance of newly emerging privacy laws.

Thread Thread
c33s profile image
Julian Author

sorry i am not a native english speaker, maybe you can rephrase your question?

why can't you quickly roll out an auth strategy? is saving a user and its password hash not legal anymore?

Thread Thread
sinni800 profile image
sinni800

I find people are unnecessarily afraid of saving a damn email (or user name) and password and glorify complexity like social logins give you... Not sure why that all is, but you can't really fight those windmills

Forem Open with the Forem app