is the service source available?

[jeacott1]

Hi, interesting project! Is the service source available somewhere?

[dagnelies]

Hi @jeacott1,

Currently neither backend nor frontend is open source. I originally hesitated quite a lot regarding this aspect, and still do. In the end, I chose against for following reasons:

• Avoiding clones: the strength of Passwordless.ID relies on being a centralized identity provider, so that users register and manage their devices in a single place, same for their profile. Making it open source would likely result in similar copycats, and would defy this purpose.
• Security: this is a double-edged sword. On one hand, being open source allows third parties to scrutinize the correctness of the code. On the other hand, attackers are notified on the fly when dependency vulnerabilities are discovered, allowing opportunities until the patch goes through.
• Future sustainability: while authentication and security are meant to be kept free for everyone, I was envisioning the possibility to add additional "premium" features in the future like analytics, access control, address verification and other stuff in the future.

But the main reason is indeed avoiding "the competition of clones". It's like GitHub. It ain't open source either and I believe that if it was, it would have likely lead to a more fragmented community than otherwise.

That said, I'm still considering the possibility of open sourcing this. On one hand it started as a little pet project but it's a bottomless pit. However, I would prefer to open source once it picked up enough steam and community to ensure a long lived presence and avoid fragmentation due to forks.

[jeacott1]

@dagnelies thanks for the long and considered response! I'd just counter with letsencrypt is oss, and I think without knowing how robust your backend is, people (me) are unlikely to invest such a crucial part of their own value without justifiable trust, and a means to recover if passwordless.id has a catastrophic failure or just goes away. I think this even more so while the site is still relatively unknown and being built and run by just one guy! Perhaps you can consider releasing source later if you find some significant backing and after gaining some share of the market.

It's certainly a difficult balance, and I wholeheartedly commend your efforts here. I understand that its not production ready yet, but perhaps some documentation addressing migration paths/disaster recovery, and some information about how the existing service is/will be operating that might mitigate some of these concerns is warranted?

[dagnelies]

I understand your concern and it is certainly a valid point. Being open source would make "longevity" easier. However, it's no guarantee either. Many open source projects still die when the maintainer just pulls the plug because nobody wants to put in the effort into maintaining it further, it's a demanding but unrewarding job. In that aspect, I think funding is actually more important than being open source to ensure it becomes a long-lived well maintained product/service.

That said, I'm lately reconsidering to open source it. Since other aspects come into play too:

• the main point regarding "avoiding clones" becomes moot if this one does not even gain traction.
• making it open source would perhaps gather some welcome contributions. Although I somehow doubt it.
• open sourcing might actually be helpful to gather some funding. Perhaps.
• ...and your argument. Being open source gives a way out in case of discontinuity.

But in the end it's also because I'm personally in a pinch. Since my current employer isn't really supporting this endeavor since "it isn't profitable", I'm kind of doing it in my free time and it therefore sadly progressing at a snails pace. I invested many hundreds of hours into it and it feels kind of disappointing to get nothing in return. Nevertheless, I'm rather inclined to open sourcing it rather than seeing it in the slump it is right now.

...but even that requires some preparations. Before open sourcing it, I wanted to have the "refactored version 2" directly available at "https://passwordless.id", so I first have to move the main site to "docs.passwordless.id" and overhaul it in the process, then update the links in the various docs, demos, examples and client libraries. Lastly, I would like to prepare some good announcement and article to at least attract some eyeballs to this project. So even open sourcing it will take a while.

[dagnelies]

The docs are now in their own repo https://github.com/passwordless-id/docs

Anyone wanting to contribute to speed up the content is welcome.