Ask HN: What's (in your opinion) the best authentication method for web apps?
i'm looking to gather some opinions, as i've been building some small apps recently and noticed some dissatisfaction around using magic links for authentication.
at the same time, i do not want to use google despite being very simple, just because they already have enough data on me as it is.
do people mind email and password combos? or perhaps passkeys are the future?
37 comments
[ 4.3 ms ] story [ 89.3 ms ] threadDepends on what you're building though. Enterprisey customers will often require SSO and Google OAuth tends to keep them happy enough.
I just want to Command-Shift-L to autofill my username/password and if it needs an OTP then press Command-V to populate that too. This works with Bitwarden, on many "boring" websites. Unfortunately, does not with these fancy "enter your email first, and THEN we slide out the textbox with a slow animation just to break your flow" BS.
And no, I do not want to connect my github / gmail / twitter / microsoft / whatever account with any webpages. I have a password manager, and I have separate passwords (and sometimes emails) for the different websites.
Another layed of meta-security I like to use for private apps is to use a service like ipapi.co to do an IP->geo lookup, and then have a per-used list of allowed geo regions (usually at the city level), like:
Depending on your user-base, this effectively shuts out 99%+ of the Internet. This geo check is trivial to circumvent if somebody really wants to, but it's good for keeping out 99% of random hackers.The other alternative is to support TOTP and let people use whatever authenticator they want.
Without specifically commenting on the relative merits of all the auth options being mentioned in the thread, I do feel it worth pointing out that "if you accept id+password" you definitely should not be storing them. And neither should someone else on your behalf.
Using one-way cryptographic hashes of passwords is well documented and nobody should have the "hoard of stored treasure, other people’s passwords" even with id+password as the auth mechanism.
There are more ways to do that wrong than right.
Of course, that is irrelevant to my point: even if you do store them all properly, you are still going to get attacked.
Don’t give people such terrible advice unless you also tell them how to protect themselves.
I offered a technically correct warning for a single case, and also specifically said I wasn't commenting on whether that auth method should be used or not.
I'm not required to offer a security tutorial, but yes it's true that storing anything, even hashes, is a security risk. So if it helps any other readers they can somewhat mitigate dictionary attacks by using salts and possibly peppers.
I personally don't like opening another app to receive something that will help me login, especially since I pay for a password manager.
Magic links, as you have noticed, are not what people want. I walk away from those sites that use them, just give me oauth
Kids are turning to services to do for them what has been a basic practice for decades.
Passwords are never going anywhere. Users are confused by passkeys, and they’re a terrible idea and terribly implemented anyway.
Edit: Learn how to use scrypt, learn how to execute `INSERT INTO users …`, and call a session library.
Passkeys.
https://proton.me/blog/big-tech-passkey
Also, usernames are generally a bad idea. Just use email. If they need a handle let them set it separately on their account and keep it away from auth.
Passkeys are a single click, or passwords can be instantly auto filled. Much quicker and zero friction.
It's only the same for the people who forget their password. For those who know their password it's a strictly less convenient flow.
What?
If you can use just an email address to recover access to an account, the security properties are effectively the same as just sending a magic link email.
Of course for anything important, you shouldn’t allow users to recover access with only a link in an email. Personally, I like it when a service requires that you pass an MFA challenge to reset your password.
With a password manager it's all pretty straightforward.
I hate magic links. Way too many steps and have to wait for the email to transit the internet. It's as bad as a forgotten password, except it's every single time.
I am sick and tired of needing to conjure a unique 12-character password with 4 different keyset features in order to gain access to a coupon-clipping site, someone's blog about bundt cakes, or a forum discussing solar panels.
The exception is where loss of the credentials can do me real and meaningful financial harm. I have no problem managing unique, complex, and rotated passwords for these. I also expect 2FA for these at a minimum.
Everyone is doing this so terribly that I wish they'd all just farm it out. correct battery horse staple indeed. :)