Authentication is webdev 101. If you can't roll your own you're in the wrong industry.
I really can't think of any good reason to hand crucial control of a site over to any third party, much less user authentication where one breach will potentially cost you millions and land you in jail.
The whole business model seems to revolve around being a crutch for people not capable or competent of running their own services.
Building a form and hashing a password is webdev 101, but go look at the feature set offered by Auth0 or other CIAM platforms. Passwordless auth, MFA, compliance management, customer profiling, workflows, threat detection, analytics. And then think about how much they charge for doing this all for you out of the box versus hiring a dev team and running them forever to support it.
Well, if you look at how many sites break auth, or something in the login flow... This is clearly not the case for most companies. Auth is definitely simpler than most problems, but plenty of teams get it wrong.
> I really can't think of any good reason to hand crucial control of a site over to any third party, much less user authentication where one breach will potentially cost you millions and land you in jail.
Because Auth0 and other providers have security experts specializing in prevent hacking attempts and there is no way you can do a better job than them unless you make it your full time job.
“Not have any security issues whatsoever” is literally impossible. Passwordless auth is the security equivalent of putting all your eggs in one basket. If someone hacks a users email account, now they have access to your service too. Now I’m pissed that you didn’t let me enable 2fa to prevent that or have multiple secure passwords to isolate the hack to my email. You could have just shelled out the 10 cents it would have cost to have my account in auth0 and prevent all of this with 2fa and fraud detection.
You’ve gone off on a personal tangent about how I as a user can increase my security. The topic of discussion was you claimed passwordless security had no security issues and I pointed out possible security issues. An individual can mitigate them, but they still exist
> But you claimed that the email can be hacked, I used an email forwarding service provided by google or apple.
I'm not arguing than an intelligent user can't get rid of security issues. I'm saying a product that uses passwordless login still has security issues. Not every user is going to do that and theyre gonna blame you when they get hacked.
> Again, I would be more convinced of real world evidence and statistics rather than theorising.
You first. You made the initial claim that passwordless login has no security issues. Systems should be assumed insecure unless proven otherwise.
> I'm not arguing than an intelligent user can't get rid of security issues. I'm saying a product that uses passwordless login still has security issues.
Like what? you keep saying "still has security issues", but you don't give any real world examples. Just saying "still has security issues" is not a good argument.
> You first.
Lots of companies use this method in the real world, Slack, Medium, Freetrade, Substack, Monzo (a bank) and many more.
If a bank and a stock trading app is comfortable using this method, I am sure they are comfortable with the security of this method.
In addition, I already have given examples in this thread which you willingly choose to ignore.
Your turn, start with this:
> Forwarding email increases risk of being hacked. They only have to get one of the emails to get into my account.
Sure, because “do passwordless emails” is just a snap of the finger away, right?
The point is that doing auth properly is hard. Sending an email might be easy, but creating and managing the session in a secure fashion is hard, even if you’re “just doing passwordless email auth”.
This whole comment thread is about not outsourcing your user management stack to a third party and your intended suggestion is.... A different third party?
I don't think I understand exactly what your argument is.
Ok it’s not just me then. I felt like I was taking crazy pills when reading the replies, and the ones to the sibling comment thread where they pivoted to talking about personal security with magic links when this entire conversation has been about companies implementing user management solutions.
This is a very reductionist assessment of the thread and glosses over one important detail I said here:
> The choice is yours to reimplement this authentication system, but in terms of "a snap of the finger away", You can do that, That is all.
It doesn't matter if it's a 3rd party, it is still an option that exists "a snap of the finger away", which was my response to that comment, this type of system can be done in an hour, 3rd party or library.
But if you want to speed things up, then there's your solution.
That was the point, but go ahead and try and reduce and spin this to your own interpretation.
I really can't think of any good reason to hand crucial control of a site over to any third party, much less user authentication where one breach will potentially cost you millions and land you in jail.
The whole business model seems to revolve around being a crutch for people not capable or competent of running their own services.