Ask HN: You're building an app in 2016 – How would you let users login? 1. Facebook Login (or other social logins) 2. Phone number with SMS code 3. Username/pass 4. Email/pass (Email will need to be verified) Would like to hear people's opinions. Assuming the app doesn't absolutely need Facebook's social data, all the options seem viable with different pros/cons. |
If they need to login from a different place, I would put a simple 1 line form and button for emailing a link that would allow them to do that.
If it was necessary, I would give them the option to backup their account to an email address. This would just set the hash to something new so that the old cookie info no longer works, and they only have to click the reactivation email.
If this is an account where virtual goods are purchased (like Steam) and so there is actual value to the account, I would do email + phone backup. Phone backups aren't good enough on their own because people switch phone numbers. Emails aren't good enough on their own because people reuse login data all the time. This is the only case where I wouldn't store login data using cookies.
Forcing registrations and logins on the user really doesn't make sense 99% of the time.
Obviously some bigger names are experimenting and trust their tracking enough to do away with authentication for some things. Personally, I have an anonymous mode on one site. It is "I don't know who you are but I remember you." They can use the site and then convert to a real user with facebook, google, or email/password.
Fuck emails. Fuck passwords. I don't want to deal with any of these things. What's the purposed of being logged-in anyways?
SMS costs a very tiny amount of money, and didn't offer any advantages (you can't get at the user's phone # on ios, so you cannot prefill, thus email had a similar level of friction from the user's perspective).
Maybe if the information on the site was sensitive it would be worth it, but this is too much for just any random app.
Plus the whole thing becomes unsecure if users start forwarding the email to others without thinking of the implications.
What if the link is only good once? Problem solved.
I've just never actually seen anyone else do it.For some reason, it feels 100x more complicated than checking my SMS app for an SMS code when in reality its not that different.
Which is to say that the first options would be simply for the app to work without anyone having to log in. That's practical for some apps, and of course not for others. The larger point is that just as a login mechanism might not be necessary, if it is necessary the choice of mechanism should make sense given the nature of the app...don't use Twitter for a self-help app for narcissism or Instagram for a seniors lifestyle app.
As for the alternatives, what good could possibly come out of storing name/email and password pairs?
So that that is next on my list to add to this current project.