Ask HN: What's your preferred authentication method as an end-user?

4 points by horizontech-dev ↗ HN
To be clear, looking to hear whats your preferred authentication method as an end-user (not as a developer).

Example:

Phone Number Gmail Social (fb, linkedin, github etc)

Sorry, if there is already a discussion around this. Feel free to link me.

6 comments

[ 3.0 ms ] story [ 25.9 ms ] thread
login-id + password

Random websites simply do not get my phone number (and if they persist, they often receive 123-456-7890 which quiets them down). I do not use gmail (and random websites would not get it if I did). I also do not use fb/linkedin, but even if I did, random websites also would not get that information either. Do have a github account, but again, random websites will not receive that information either.

Got it. Thanks.

Are security and privacy the reason for the aversion to phone number and social methods?

Firstly, I usually don't have the methods being asked for. I don't use Linked-In, I barely use FB and certainly can't remember my password. And seriously, would you go around giving your phone number, email, physical address, etc., to everyone? The opportunities for social engineering abound.

And just because the people I give it to may be trusted today, there's always (a) buyouts, (b) security breaches, (c) going rogue.

Why are you asking these questions? Are you trying to learn about security? Are you surprised at the responses?

Would you, without reservation, give random people your email, phone number, login-id for other services, etc?

If so, why do you not have concerns?

I second everything that pwg said[0]. Why should I give a random website information? There has to be an exchange, and it has to be fair. Do they provide enough value for me to give them information?

Rarely.

Do they need the information to perform the service they are offering?

Rarely.

For me, login-in / password. If they're asking for more then it had better be obvious from the start that it's worth the trade.

[0] https://news.ycombinator.com/item?id=22771460

Email + password. I can isolate the email in case of breaches and it helps avoid leaking behavioral data to social networks.
For HTTP(S) stuff, HTTP authentication (basic or digest auth). However, better would be to use SASL (which is usable with many protocols, although I think HTTP(S) unfortunately doesn't), and then from that to have some sort of SASL method which allows decentralized authentication like OpenID but does not require a web browser.

What I hate is using a telephone number (I don't want them to call me on the telephone, and other people in my house might use the same service so then that won't work so well!), Gmail (I don't use it), GitHub (again I don't use it), Facebook (again I don't use it), etc.