So I lost access to my Twitter account. Not really sure why, but they flagged it as spam and they’re demanding a phone number to reinstate my account. Whatever, no thanks.
It got me thinking, if I had used my Twitter account to authenticate with every oauth-compatible site, I’d be screwed! I’ve always considered a strength of the internet to be the de-centralized structure of it. But here we have people tying multiple disparate sites and services to a single account.
I am using a GMail account to authenticate into Advent of Code, and with EdX. These are both services I feel I could afford to lose. I would never use a federated account with something I considered valuable. I have gone without accounts/services when the only option was something federated.
I have used my Google account to authenticate Feedly, because it took over when Google canned their own RSS reader. But other than that, I always use a discrete account, where I can. I think there are a couple of other services that give no other option, but, in general, I wouldn’t use a federated account if there wasn’t another option.
Imagine using one account for everything and suddenly having your password breached?!? I use the Gmail tricks for multiple email address versions (I’ve mentioned these elsewhere, but when matching accounts for delivery, periods are ignored and anything after a plus sign is truncated with the plus sign.) This way I can have one email address to log into, but give unique email addresses to different services so that if my userID is my email, I have a unique email on each different site.
What I absolutely hate is when a site is arrogant and will not offer email registration and I do not wish to use there choice of providers which are usually Google, Facebook, and Twitter. Sometimes Github is an option when it’s a tech site. Complaining they justify it as we do not want to mange usernames and password. Do Google, Facebook, or Twitter give a kick back to sites.
Another related issue to authentication is phone app that have a web interface but only allow registration via phone.
Both cases I suggest SQRL but these site owners are IMHO just lazy they won’t change .
Totally agree! I signed up for a short-form video platform called Byte back when it was just getting off the ground, and they were in the same situation. Their devs were active on a Discourse forum for user feedback so I made the case that only offering federated auth is a problem. I got a whole bunch of replies from other users saying they were totally against Byte managing an internal auth system. I was blown away. I mentioned SQRL and had a lengthy argument with one user who was vehemently against it because of the design of grc.com.
I feel more and more like Abe Simpson shaking his fist at the clouds
Well if you have moron devs, federated authentication probably IS better than rolling something custom The simple answer is to not have moron devs, but I don’t run a startup. Also, I developed the authentication solution for an embedded system as a past career, and so far as I know, it’s still securing something like a million users or more with no reported breaches or bypasses in 20+ years.
oh these were replies from other users. I don’t recall ever getting a dev response, but I also abandoned the thread after a day or so of fighting the good fight.