Tell HN: Stop using email as the unique ID when using "Sign in with GitHub"

30 points by acheong08 ↗ HN
I recently lost access to over 10 accounts after changing the primary email address of my GitHub account including DigitalOcean and Replit. I contacted support and they asked for my government ID. I cancelled the connected credit cards so I don’t get charged and have since moved everything off the cloud to local docker containers on my raspberry pi.

19 comments

[ 2.4 ms ] story [ 53.6 ms ] thread
This also creates huge friction with domain-limited auth when using a GitHub account that has multiple email addresses on it.
> Domain-limited auth

> GitHub account that has multiple email addresses tied to it

I am sorry, but I am oblivious to the case you have described. You've experienced a Domain-limited auth to refuse accounts with e-mail with the required domain, plus secondary account with address outside the domain?

You can have multiple emails attached to a GitHub account. Sometimes instead of creating a new GitHub account for work, someone on your team will just attach their work email to their main GitHub account.

Then if you set up GitHub oauth on a SaaS, and configure it to allow anyone with an email on your domain, most of your team members will be able to sign up. But for the person with the multi-email GitHub account, it will usually fail. It gets even messier when there are invitations involved.

Was temporarily changing it back a possibility?
Unfortunately not. I got the amazing new years gift of my previous school disabling my alumni email which they promised that we were able to keep forever.
(comment deleted)
Am I the only one that hates the "sign in with other_company" thing?

I hadn't thought of the issue of changing your primary email, but what always worried me was tying everything together to other_company in case my account was ever compromised, shut down, or the sign-in or even entire service is discontinued. I also don't like that I'm forced to consider the security scope -- how much am I granting this service access to? What does the scope it's requesting actually mean to my privacy/security?

I like when I go to a site and my password manager shows me the little "[1]" badge indicating I have an account, because I honestly wouldn't remember where I have accounts or what sign-in partner I previously used. It's especially neat when I stumble across something that seems new, but then realize I have an account that I created 8 years ago.

When I'm forced to use a sign-in partner, I learned to make a password manager entry that just says "use provider_name", but since I'm doing that anyway it doesn't save me any time at all.

As all things in tech, it was born out of a grand vision of unified identity (in this case) & was squashed by corporate greed into using IDs of commercial tools for authentication into other commercial tools.

I've dreamed many times about my Matrix or Nostr identity serving as the ultimate key to all the tools & services I access, but as the greed turns grand visions into their parodies, these grand visions can't exist without financial support & motivation in some sort of gain for some party.

No one is going to implement a free, unified ID, not attached to a commercial product, which is going to get wide spread adoption. Many tried, and just as many have failed.

Such is life.

Now that I think about it, the government in my country has been experiencing a sudden boom in IT infra quality in recent years. The government tied authentication system works pretty well for all the government related tasks. Although quality of its implementation is still a bit factured & heavily reliant on fiat banking services, it is one ID system that comes to mind as 'widely & universally adopted' [among government related entities]
I was enthusiastic about OpenID when it came out. I actually had been idly building an almost identical thing (proof of concept stage, but it wasn't sure how to get the needed widespread adoption so didn't pursue it much further) but stopped once I found OpenID.

What I really liked was you could login with your own IdP, so for example you typed in "yourdomain.com" and got redirected to authenticate (no interaction if you already had a live session on your IdP). You could enable this with an html meta tag, even if you didn't run the actual provider.

Unfortunately the only big site I used that had it was stack overflow.

I haven't followed as closely but I don't think OpenID Connect (which is based on oath2) even allows this; instead it only works with the providers the site operator has decided to enable it for. Which of course are typically just the big ones.

I love what Phind has done in this matter & at the same time I hate what Microsoft has done with Minecraft.

Phind lets you authenticate ONLY with GitHub (even though they don't really use any other github features). It's beautifully elegant solution. No need to maintain security of accounts, Microsoft will do it for you. Phind is already geared towards soft devs, so which dev doesn't have a GitHub account. And even IF a potential user doesn't have the GitHub account, making a GitHub account is free and painless. JOB DONE.

At the same time, Minecraft players had the Microsoft store versions & accounts forced down their throats, by complete removal of old Mojang accounts if the user failed to transfer their account. In result, alot of old tools just failed to work without old foxm of auth. There are still plenty of places where a normal login prompt is shown, which requires Microsoft account credentials, but it is not said so, anywhere. In result, people like me get stressed, why the noted credentials tagged Minecraft don't work. (Its because the login prompt just leads to the Microsoft store, where you need to fingure out, to which Microsoft account you've attached the license. UGH!)

There are so many stories about bothed credentials management, security & inconvenieet implementations, that one could write a whole wiki on this topic.

I am with you on that. I am so surprised how fragile systems are.

1. I use email like firstname@lastname.email How many times I end up seeing that my email would be in the system like fistname@lastname.email.gmail.com or other variations. And how many services just do not accept .email.

2. Idea of using unique emails like domain@firstname.lastname.email broke so many things. Like integration between services (moviesanywhere). Services merging (mint and turbotax). But overall idea worked to see how unsecure my data was at various services like paybyphone (some parking app in seattle) or even linkedin. How much spam I get on those specific emails.

And yes. Signing in via oauth provides is terrifying. Just only see more issues with that.

> broke so many things

I've been doing it for about 20 years, and I can't even recall anything being broken or not working, but maybe I'm not using services that connect like that. The most annoying thing I can think of is when I sign up using "example.com@my.domain" and it tells me "example.com" isn't allowed in the email address... but this is rare, and easily worked-around.

On the other hand I know several services that were either compromised or sold their email list. Back when email filtering was mediocre at best, it was easy to make rules to completely filter those addresses out.

Early on I remember being enthusiastic about it, by putting my authentication eggs in one basket. The irony being that I was somehow oblivious of how putting your eggs in one basket is violation of a logical tenet of security. I think I, like many of us, was duped into a false sense of security by trusting the expertise of Google, Apple, etc. in exchange for willingly deepening their walled garden. The scales fall off when you realize how even the biggest orgs fail eventually and centralizing authentication just widens the blast radius.
I think this depends on who you are.

If you're the person who uses the same password everywhere, using SSO is a great idea: you don't spread the one password to that shady system that stores it in plain-text. You have control over the session token at your identity provider (assuming the RP service rechecks tokens as they should.)

If you value privacy, and have a good password policy, you probably benefit nothing security-wise from SSO. You're still at the risk of MITMs or domain hijacking ruining the experience on that one site, which seems unavoidable. The question is where you store your passwords. You'd want it somewhere centrally for all your devices to share, and then you have a single master password. Depending on who you are, that might be OK.

Passkey/WebAuthn has similar issues with how to share credentials.

Tell HN: Stop using "Sign in with <site>". Both DO and Replit let you sign up with a plain old email address. And with a password manager, it's equally convenient, still just one click to sign in.

Why would you rope in an unrelated point of failure to your relationships with online companies and give up sovereignty of your identity? It's only a matter of time before the leopards eat your face.

After Minecraft was acquired by Microsoft I had to create a Microsoft account for my 9 year old elementary school daughter so she could keep on playing her beloved Minecraft. After a few weeks later Microsoft blocked her account because of not further detailed "violation of terms". Unlocking this account was several week long encounter with a service process designed by Franz Kafka.

As a result of this experience I now consider having any relevant data or system access behind Microsoft ID (or any other as Apple or Google) as risk which needs mitigation. I removed all my data from OneDrive and set up my O365 not storing data in the Microsoft cloud (I needed MS support to do so. Not using OneDrive does not do the job).

I consider using my Microsoft/Google/Apple IDs on other sites as adding to the risk to be cut of my data or work at Microsofts mercy.

I used Google as my primary authentication for over a decade, because I thought it's more likely that I will forget to pay my domain or my email service and lose access to my digital identity.

But about five years ago, I asked myself: What if it's more likely that I will get locked out of my account on Google? I'm not paying them anything, and they're impossible to come into contact with.

I also lost access to Minecraft because of the Microsoft acquisition.