Email + password authentication should be a last resort (rant)
If you’re working on a web product, odds are one of the first decisions you’ll make is how users will sign up and log in (aka “authentication”). Unfortunately, the authentication method most developers reach for by default is arguably the worst one.
And why should users trust that you’ve set up your backend in a secure enough way to never leak their credentials? The answer is that they shouldn’t, which means the only reasonable option you give your users is to generate a unique random password for every website.
Power users (not the average person) love to boast that they’ve figured it all out with their password manager of choice. But even those are flawed. If you’re on any other device, say logging in from a friend’s house, or god forbid from a friend’s phone, the pain of entering a secure 50-character generated password can’t be understated. And your password manager won’t save you from phishing attacks or man-in-the-middle (MITM) attacks on insecure sites.
Social logins solve a handful of problems. I’ll trust Google to not store passwords in plain text, but probably not your random website (sorry). More importantly, the fewer accounts and passwords I need to remember, the better.
