Tell HN: Stop using email as the unique ID when using "Sign in with GitHub"
I recently lost access to over 10 accounts after changing the primary email address of my GitHub account including DigitalOcean and Replit. I contacted support and they asked for my government ID. I cancelled the connected credit cards so I don’t get charged and have since moved everything off the cloud to local docker containers on my raspberry pi.
19 comments
[ 2.4 ms ] story [ 53.6 ms ] thread> GitHub account that has multiple email addresses tied to it
I am sorry, but I am oblivious to the case you have described. You've experienced a Domain-limited auth to refuse accounts with e-mail with the required domain, plus secondary account with address outside the domain?
Then if you set up GitHub oauth on a SaaS, and configure it to allow anyone with an email on your domain, most of your team members will be able to sign up. But for the person with the multi-email GitHub account, it will usually fail. It gets even messier when there are invitations involved.
I hadn't thought of the issue of changing your primary email, but what always worried me was tying everything together to other_company in case my account was ever compromised, shut down, or the sign-in or even entire service is discontinued. I also don't like that I'm forced to consider the security scope -- how much am I granting this service access to? What does the scope it's requesting actually mean to my privacy/security?
I like when I go to a site and my password manager shows me the little "[1]" badge indicating I have an account, because I honestly wouldn't remember where I have accounts or what sign-in partner I previously used. It's especially neat when I stumble across something that seems new, but then realize I have an account that I created 8 years ago.
When I'm forced to use a sign-in partner, I learned to make a password manager entry that just says "use provider_name", but since I'm doing that anyway it doesn't save me any time at all.
I've dreamed many times about my Matrix or Nostr identity serving as the ultimate key to all the tools & services I access, but as the greed turns grand visions into their parodies, these grand visions can't exist without financial support & motivation in some sort of gain for some party.
No one is going to implement a free, unified ID, not attached to a commercial product, which is going to get wide spread adoption. Many tried, and just as many have failed.
Such is life.
What I really liked was you could login with your own IdP, so for example you typed in "yourdomain.com" and got redirected to authenticate (no interaction if you already had a live session on your IdP). You could enable this with an html meta tag, even if you didn't run the actual provider.
Unfortunately the only big site I used that had it was stack overflow.
I haven't followed as closely but I don't think OpenID Connect (which is based on oath2) even allows this; instead it only works with the providers the site operator has decided to enable it for. Which of course are typically just the big ones.
Phind lets you authenticate ONLY with GitHub (even though they don't really use any other github features). It's beautifully elegant solution. No need to maintain security of accounts, Microsoft will do it for you. Phind is already geared towards soft devs, so which dev doesn't have a GitHub account. And even IF a potential user doesn't have the GitHub account, making a GitHub account is free and painless. JOB DONE.
At the same time, Minecraft players had the Microsoft store versions & accounts forced down their throats, by complete removal of old Mojang accounts if the user failed to transfer their account. In result, alot of old tools just failed to work without old foxm of auth. There are still plenty of places where a normal login prompt is shown, which requires Microsoft account credentials, but it is not said so, anywhere. In result, people like me get stressed, why the noted credentials tagged Minecraft don't work. (Its because the login prompt just leads to the Microsoft store, where you need to fingure out, to which Microsoft account you've attached the license. UGH!)
There are so many stories about bothed credentials management, security & inconvenieet implementations, that one could write a whole wiki on this topic.
For info, there is e-mail as well
1. I use email like firstname@lastname.email How many times I end up seeing that my email would be in the system like fistname@lastname.email.gmail.com or other variations. And how many services just do not accept .email.
2. Idea of using unique emails like domain@firstname.lastname.email broke so many things. Like integration between services (moviesanywhere). Services merging (mint and turbotax). But overall idea worked to see how unsecure my data was at various services like paybyphone (some parking app in seattle) or even linkedin. How much spam I get on those specific emails.
And yes. Signing in via oauth provides is terrifying. Just only see more issues with that.
I've been doing it for about 20 years, and I can't even recall anything being broken or not working, but maybe I'm not using services that connect like that. The most annoying thing I can think of is when I sign up using "example.com@my.domain" and it tells me "example.com" isn't allowed in the email address... but this is rare, and easily worked-around.
On the other hand I know several services that were either compromised or sold their email list. Back when email filtering was mediocre at best, it was easy to make rules to completely filter those addresses out.
If you're the person who uses the same password everywhere, using SSO is a great idea: you don't spread the one password to that shady system that stores it in plain-text. You have control over the session token at your identity provider (assuming the RP service rechecks tokens as they should.)
If you value privacy, and have a good password policy, you probably benefit nothing security-wise from SSO. You're still at the risk of MITMs or domain hijacking ruining the experience on that one site, which seems unavoidable. The question is where you store your passwords. You'd want it somewhere centrally for all your devices to share, and then you have a single master password. Depending on who you are, that might be OK.
Passkey/WebAuthn has similar issues with how to share credentials.
Why would you rope in an unrelated point of failure to your relationships with online companies and give up sovereignty of your identity? It's only a matter of time before the leopards eat your face.
As a result of this experience I now consider having any relevant data or system access behind Microsoft ID (or any other as Apple or Google) as risk which needs mitigation. I removed all my data from OneDrive and set up my O365 not storing data in the Microsoft cloud (I needed MS support to do so. Not using OneDrive does not do the job).
I consider using my Microsoft/Google/Apple IDs on other sites as adding to the risk to be cut of my data or work at Microsofts mercy.
But about five years ago, I asked myself: What if it's more likely that I will get locked out of my account on Google? I'm not paying them anything, and they're impossible to come into contact with.
I also lost access to Minecraft because of the Microsoft acquisition.