from Hacker News

Email and password authentication should be a last resort (rant)

by aaossa on 5/7/25, 2:26 AM with 6 comments

  • by calgoo on 5/7/25, 7:38 AM

    I have reached the point now that if you don't offer me email and password, then I will not use your service anymore.

    That you might want to offer different options for different people, sure; but don't remove the password option. Let me use my generated email address so that if you sell my info i know i can't trust you anymore and let me manage my own security instead of some third party that does not have my personal privacy as their primary concern.

  • by heavensteeth on 5/7/25, 10:43 AM

    Pretty reductive. The author even lists pros and cons for every alternative, as if every option is a shade of gray except email+password.

    I'm not going to force users of my service to create a Google account, I'm not going to let Google decide whether a user's account should be banned on _my service_; and I'm not going to oblige users to sign using webauthn.

  • by mystified5016 on 5/7/25, 2:53 PM

    If you can't handle user authentication on your own, why should I trust that you're capable of any level of security or trustworthiness?

    I will not use a service that doesn't offer email authentication. This is table stakes.

  • by mooreds on 5/7/25, 2:30 AM

    Maybe!

    It depends on the audience and the importance of the account.