Federated Authentication - For or Against?

So I lost access to my Twitter account. Not really sure why, but they flagged it as spam and they’re demanding a phone number to reinstate my account. Whatever, no thanks.

It got me thinking, if I had used my Twitter account to authenticate with every oauth-compatible site, I’d be screwed! I’ve always considered a strength of the internet to be the de-centralized structure of it. But here we have people tying multiple disparate sites and services to a single account.

Do ya’ll use federated auth or no?

Federated Authentication?
  • Yes it makes life way easier!
  • No way, too many eggs in one basket!

0 voters

I am using a GMail account to authenticate into Advent of Code, and with EdX. These are both services I feel I could afford to lose. I would never use a federated account with something I considered valuable. I have gone without accounts/services when the only option was something federated.

1 Like

I have used my Google account to authenticate Feedly, because it took over when Google canned their own RSS reader. But other than that, I always use a discrete account, where I can. I think there are a couple of other services that give no other option, but, in general, I wouldn’t use a federated account if there wasn’t another option.

1 Like

Imagine using one account for everything and suddenly having your password breached?!? I use the Gmail tricks for multiple email address versions (I’ve mentioned these elsewhere, but when matching accounts for delivery, periods are ignored and anything after a plus sign is truncated with the plus sign.) This way I can have one email address to log into, but give unique email addresses to different services so that if my userID is my email, I have a unique email on each different site.


What I absolutely hate is when a site is arrogant and will not offer email registration and I do not wish to use there choice of providers which are usually Google, Facebook, and Twitter. Sometimes Github is an option when it’s a tech site. Complaining they justify it as we do not want to mange usernames and password. Do Google, Facebook, or Twitter give a kick back to sites.

Another related issue to authentication is phone app that have a web interface but only allow registration via phone.

Both cases I suggest SQRL but these site owners are IMHO just lazy they won’t change :slight_smile: .


Totally agree! I signed up for a short-form video platform called Byte back when it was just getting off the ground, and they were in the same situation. Their devs were active on a Discourse forum for user feedback so I made the case that only offering federated auth is a problem. I got a whole bunch of replies from other users saying they were totally against Byte managing an internal auth system. I was blown away. I mentioned SQRL and had a lengthy argument with one user who was vehemently against it because of the design of grc.com.

I feel more and more like Abe Simpson shaking his fist at the clouds :pensive:


Well if you have moron devs, federated authentication probably IS better than rolling something custom :wink: The simple answer is to not have moron devs, but I don’t run a startup. Also, I developed the authentication solution for an embedded system as a past career, and so far as I know, it’s still securing something like a million users or more with no reported breaches or bypasses in 20+ years.


oh these were replies from other users. I don’t recall ever getting a dev response, but I also abandoned the thread after a day or so of fighting the good fight.

wow I guess a simple design that work and loads fast is beyond some people - how sad for them.