We have received multiple reports that Google login is particularly off-putting to users. This might be skewed a bit by the fact that the app has primarily been promoted on Mastodon, where users are more likely to retain mistrust of large internet corporations.
Still, more login options would allow the site to be more flexible and available to a larger number of potential users. We should consider implementing some of these alternatives:
OAuth via Mastodon
Login with Facebook
Signin with Apple
It is important to note that we never intend to support a generic email/password authentication, since it would produce a rabbit hole of security considerations as well as a large amount of development time to create signup/login flows and password policies, password reset emails, etc.
Note, this is only for authentication. Authorization is provided by an encrypted cookie that is set in the user's browser, for the lifetime of the browsing session only. In the case of OAuth, we also don't require any granted scopes, only validation of identity (authentication). This means we can potentially use any OAuth provider as an identity provider, including services that provide identity through multiple OAuth options.
We are also considering Guest mode (#32) and authentication via bare email address (#35).
We have received multiple reports that Google login is particularly off-putting to users. This might be skewed a bit by the fact that the app has primarily been promoted on Mastodon, where users are more likely to retain mistrust of large internet corporations.
Still, more login options would allow the site to be more flexible and available to a larger number of potential users. We should consider implementing some of these alternatives:
It is important to note that we never intend to support a generic email/password authentication, since it would produce a rabbit hole of security considerations as well as a large amount of development time to create signup/login flows and password policies, password reset emails, etc.
Note, this is only for authentication. Authorization is provided by an encrypted cookie that is set in the user's browser, for the lifetime of the browsing session only. In the case of OAuth, we also don't require any granted scopes, only validation of identity (authentication). This means we can potentially use any OAuth provider as an identity provider, including services that provide identity through multiple OAuth options.
We are also considering Guest mode (#32) and authentication via bare email address (#35).