DEV Community

Julian
Julian

Posted on

why social logins are a bad idea - dev.to please keep your native login enabled

today i wanted to log into dev.to and to a little story about emco ping monitor and i wasn't able to login with my email.
sadly this again happened to me.

i asked for the feature to login by gitlab and email in july 2018. near end of october of this year i noticed that it was possible to login by email. :hoooooraaaay: i immediately added it to my account and disconnected github.

my next step would have been to contact dev.to to remove my still stored github email address but luckily it was no priority for me.

at 4th of november i wanted to login to dev.to but the email login form was simply gone. my github account email was still in the database of dev.to so i was able to reconnect the gitlab account and was able to login.

andy zhao wrote in the ticket that it was by accident and that the login is back online. this time i kept my github account connected.

as i wrote above today i wanted to log into dev.to to write a some notes. email login -> gone.

why?!

it is crazy, the login by email part should always be first citizen on all sites. with a native password reset function and so on.

social login is nice to have but it is dangerous. it centralizes the net and your are dependent on a multi million dollar company (and their "AI" algorithms) to be "ok" with you. if they are suddenly not ok with you, because of what you say or what you wrote, your race, your age, your health, your sexual orientation, your religion, whatever, they simply lock you out.
without telling you the exact reason and most of the time without any way to recover your account if you don't get support from the masses or some person with influence. i you don't have one of those you are doomed.

"reallife" (haven't verified them by myself) examples why it is simply a bad idea:


My Facebook account was just banned due to "Community Standards". I created the account just for my Oculus Quest 2 and don't post anything on it

mud_juggler

Awesome, so for the Oculus 2 all you have to do is have a functioning Facebook account and when you need any tech support, a Twitter account to complain publicly and finally get things fixed. 2020 technology....

phishstik

Roughley lost data including emails, photos, documents and diagrams that he had developed for his work. "My account and all its data is gone," he said.

quote from the article written by Chris Stokel-Walker from businessinsider.com


so gurjeet singh sums it up quite perfect in is article

"Never Use Google to Sign-In"

this is a quote which i can simply sign. i myself have a problem with such a big company which simply denys me a service which they advertised to my without giving me a reason but thats another story.

please dev.to team keep your email login enabled and don't disable it again. treat it as first citizen and help to decentralize the web.

cover image would have been by Enrico Hänel if dev.to wouldn't require me to switch to another browser to use the upload button. sigh the web is breaking apart. the internet explorer only from the 90ies is now a chrom (OS) only (why the hell my browser needs access to so many os functions and keeps loosing such simple functions as a regular upload form). looks like there is another story...

Top comments (6)

Collapse
 
derek profile image
derek

💯! This is a great point of view!

However, it’s increasingly more difficult in cost, complexity, and legally to roll your own Authentication/Authorization especially with all the new privacy laws; GDPR, CCPA, etc.

What is your opinion on sound alternatives to both oAuth and email/pass?

Collapse
 
c33s profile image
Julian

it’s increasingly more difficult in cost, complexity, and legally to roll your own Authentication/Authorization

is it really that expensive? i don't know which programming language/framework your are using, i use symfony and it ships a mature security component with the ability to auto-migrate passwords to the most current standard on access. so it's a drop in solution. so the cost is not that big. i am event not that sure that a social login is cheaper to implement. they change api and you have to invest time/money to catch up, often with no time to plan.

especially with all the new privacy laws; GDPR, CCPA, etc.

same start as for the other part, is it really that difficult? simply do not track, add a firewall to your server, do not misuse the user data (email), hash/crypt the password, do not send plain text passwords via email, describe in your dataprotection legal text for what the email is (login) and you are done. good dataprotection texts are often only a few sentences long and can be understand by a child. so no big legal costs here.

dev.to already stores the email address from github in their database, just tried it, i revoked the permission on github side and the email is still on
dev.to haven't found a way to disconnect my github account. so the only thing which additionally has to be stored is the hashed/crypted password.

from gdpr perspective it's more a problem that i can't remove my github data (email) from dev.to than to store a hashed password on a server which is firewalled. a login also can be with username and password so no personal data at all (of course with the cost of not being able to reset a forgot password).
i am no security expert from mathematical point of view but this is, most of the time, not required. very big breaches are because people use cloud services, which are build from startups, where security is not even a basic citizen. aws instances and buckets are "clicked up" by a gui and they simply have no firewall. companies use passwords for their master account like "companyname2020!".

What is your opinion on sound alternatives to both oAuth and email/pass?

in my opinion email/password is unbeatable (together with a 2FA with TOTP (not sms)). today people can "easily" create "deep fakes". on mobile phones face locks can be opened by photos or sibilings, fingerprint scanner also don't work well. a good password like yvwJhmpO-vb3MD@y7%qaJuETx6t7pX is the most secure way to secure an account. i even think that a handwritten signature is very unsafe, it can be photoshoped on documents where a digital signature is quite safe.

the only problem are users choosing weak passwords which they reuse :)

Collapse
 
derek profile image
derek • Edited

My question was in the specific context of implementation in a product.

I think gone are the days where we can quickly roll out a simple auth strategy as such. Which is the reason why Auth0, okta, firebase, and the oAuth2 protocol in general are so popular.

I think 2020 and beyond a “successful” auth strategy and implementation would be accompanied with a security accreditation from a third party audit.

Also on the many projects I work on, we constantly have an open feedback loop with legal teams to make sure we’re in compliance of newly emerging privacy laws.

Thread Thread
 
c33s profile image
Julian

sorry i am not a native english speaker, maybe you can rephrase your question?

why can't you quickly roll out an auth strategy? is saving a user and its password hash not legal anymore?

Thread Thread
 
sinni800 profile image
sinni800

I find people are unnecessarily afraid of saving a damn email (or user name) and password and glorify complexity like social logins give you... Not sure why that all is, but you can't really fight those windmills

Collapse
 
javaarchive profile image
Raymond

There's also an alternative, called magic link login which is used by website like workyflowy and glitch.com
Basically you enter your email first, it sends you a link to log on, sort of like the 2FA except you don't need a password to get the email sent.