No more username/passwords: Just use a 3rd party for authentication.

It’s 2016, your site/app should not require a password. Use a third party to authenticate your users and make the web a simpler, safer, better place.

It’s 2016; your app should most likely not require a username nor a password. You really should use a third party (email, phone, social) to authenticate your user, and skip the antiquated habit of forcing/allowing users to choose a username & password.

3rd-Party Schemes for Login / Sign-Up

  1. Email: Send the user a link to enter the app.
  2. Phone: Send the user an SMS with a link or code; clicking the link or entering the code on the app lets them enter.
  3. Social Media: Let the user identify themselves via FB, Google, Github, or some other provider.

A Simpler World For Users

No more thinking. No discussions on ‘correcthorsebatterystaple’ and LastPass and tiers of password sensitivity. No more remembering username and password for dozens of sites.

A Simpler World For Developers

Relying on 3rd-party authentication is also much simpler for developers. No more ‘email is taken’, ‘username is taken’, ‘email is malformed’, etc. Nothing. If you can receive an email at the address you gave me, that’s good enough for me.

A More Secure World

3rd-party verification makes brute-forcing impossible, because login can only occur in the window after requesting an entry link/code, or via social media. Easily-guessed passwords do not exist because passwords do not exist. Security and happiness go up.

Stay Logged In Forever

As a side note, it is worth advocating that most apps should let the user stay signed-in for as long as possible. Modern browsers remember the username/password anyway, so auto-logging out is pointless.

Which 3rd-party verification should my app use?

This is an issue to be addressed elsewhere, but the considerations are quite straightforward. Social media is usually best from the app’s side, as you can get significant info about the user as well as provide the smoothest flow. If your users are expected to have privacy concerns, an email solution may be more appealing to your users. If you will be used primarily on mobile devices, perhaps a phone number. One can choose a combination of methods, thus granting more flexibility to users, at the cost of a slightly more complicated setup.

TLDR: No more username/passwords: Just use a 3rd party for authentication.

I can prove I am me because I control my email, my phone, and my FB. That’s more than enough proof for anyone. In 2016, that is me.I shouldn’t have to think about any other authentication details, nor trust anyone else.

Full-Stack, Ruby, and JavaScript Consulant @ US, UK, IL. If you enjoy my work or are looking for a consultant, reach out at http://sellarafaeli.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store