Yes, I prefer an Email/password, too, so to depend less on third-parties, and keep it more transparent.
Yet, OAuth/OpenID is significantly easier legally and financially than Email processing (even via outsourced services as MailChimp) and store someone’s personal information as Email address in databases, if compared to a social account ID, in long term.
Not only that, but OAuth providers have APIs to get sufficient User information, and regularly actualize, including: Name, Email (yet, by requested/allowed scope only), activity on that social network as posts/channels/followers count etc., which may be a requirement for their Staff/algorithms to determine the priorities for transactions/support and/or security involved.
This right here. I’d rather my email stay the source of truth for auth, but totally sympathize with website owners that don’t want to store and protect any sensitive user data (like an email address and password).
I do wish some sites would offer the magic link option if they don’t want to keep password hashes. It has problems too, but can be a simple way sometimes.
On some level I know the OAuth flow should be pretty safe. The idea that I have one identity that gets me into multiple sites makes a lot of sense. And I’m already using the same email in most places, so it’s not like I’m anonymous anyway.
And yet… I can’t convince my paranoia that ‘sign in with Google’ isn’t oversharing. I always worry that authorizing with other sites will give too many permissions to see/alter Google/whatever data, or that clicking it will take me to a fake Google/whatever page where I give away my creds.
Yes, I prefer an Email/password, too, so to depend less on third-parties, and keep it more transparent.
Yet, OAuth/OpenID is significantly easier legally and financially than Email processing (even via outsourced services as MailChimp) and store someone’s personal information as Email address in databases, if compared to a social account ID, in long term.
Not only that, but OAuth providers have APIs to get sufficient User information, and regularly actualize, including: Name, Email (yet, by requested/allowed scope only), activity on that social network as posts/channels/followers count etc., which may be a requirement for their Staff/algorithms to determine the priorities for transactions/support and/or security involved.
This right here. I’d rather my email stay the source of truth for auth, but totally sympathize with website owners that don’t want to store and protect any sensitive user data (like an email address and password).
I do wish some sites would offer the magic link option if they don’t want to keep password hashes. It has problems too, but can be a simple way sometimes.
On some level I know the OAuth flow should be pretty safe. The idea that I have one identity that gets me into multiple sites makes a lot of sense. And I’m already using the same email in most places, so it’s not like I’m anonymous anyway.
And yet… I can’t convince my paranoia that ‘sign in with Google’ isn’t oversharing. I always worry that authorizing with other sites will give too many permissions to see/alter Google/whatever data, or that clicking it will take me to a fake Google/whatever page where I give away my creds.
Technically, using an email and password is being dependent on more 3rd parties to keep your information safe.
Third parties that are getting one of maybe 6 emails and a unique password?
I’ll take my chances.