Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Can we stop the requirement to use Gmail or Github just so I can use your service?

I want to signup for this service, but I can’t - because I use a non-gmail email service and use a non-github Git service.

What happened to thr “good old days” of just using my email address to signup for a service?



We want to have a classic sign-up option as well, sure — if only because it's one less third-party point of vulnerability for users (will be relevant when encrypted pages are there).

Unfortunately it's harder than Google/GitHub login, so we focused on other bits for the MVP.

Is there any third-party service you /would/ use for auth? Perhaps it can be enabled quickly.


No.

I purposely don’t tie my account credentials to a 3rd party.

(Which always seemed crazy to me that people would do. Especially business accounts)

EDIT: why am I getting downvotes for this comment? I’d rather you reply to this comment to create a health dialogue on this topic if you have an opinion - rather than just some random downvote without reason.


Seems to me you're being needlessly pedantic here. If you truly don't have a Google or a GitHub account, why not make a throwaway one for the purpose of signing in to things? No personal details are required to do so, and it'll take about 3 minutes if your time - pretty much exactly as long as it would take to sign up to this service using your email address, in fact.


Let’s say I do your suggestion over and over again ... well now this “throwaway” account just became my primary account credential.

Now what happens if Gmail or Github shutdowns my account. Now I’m locked out of all of these services I used to signup for. Some of these services might be business critical.

That’s why I don’t like allowing a 3rd party to own my account creditials.


Why would these companies shut down an account that you only use for credentials?


Your account might be linked to another account that did something malicious.

I'm not 100% sure but I've heard enough Google horror stories that I am migrating to Apple sign-in for everything. (Yeah, assuming that Apple won't start doing the same.)


Why would an account that you only use to sign in to things be linked to another account that did something malicious?

And what about GitHub? Have you heard of them closing accounts?


An email/password login is not difficult in the least.

And, frankly, there is zero chance I'm going to host a site with a provider who thinks it is.


Eh. It's not "hard", it's "harder".

Evaluating mail delivery services and integrating with one; going through all API handlers to check that they handle the extra "signed up but email still unconfirmed" status the right way; handlers for resending email confirmations; the password reset flow. A lot of papercuts.

Oh, and later on — having to debug email delivery issues, which always happen eventually.

This is why adding another third-party auth option is much easier than adding an email signup flow.

An alternative is the "modern" email flow where you just get a sign-in email every single time you want to login, but that's meh. I'd rather have a proper "classic" email signup flow.

All this said, I admit that email signup is one of the basic features, and we're missing it. I want to have email signup too. I just don't think it's as easy (or even /almost/ as easy) as third-party auth, and the rest is a question of priorities.


Not that difficult, except that you need:

* sign up / sign in routes.

* reset password flow

* multifactor enrollment and validation

* email verification and email templates

* rate limits to prevent brute force attacks

There is a reason entire companies exist to solve this. Properly implementing your own login creates a lot of wasted development time, especially when OAUTH2 is an industry standard.


Completely agree. I closed the tab as soon as I saw those were the only 2 signup options.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: