User authentication methods in MVP

What user authentication methods do we need in the MVP?

  • Passwords
  • Stack Exchange OpenID
  • Specific social network associated accounts (Google, Facebook, etc.)
  • OpenID or OpenAuth from arbitrary providers
1 Like

I’m no expert on this, but I believe we should have a username/password system here, in addition to any other 3rd-party (SE, Google, Facebook, etc.) associated login. That is for a number of reasons, including:

  • Some users may want to use a throwaway account for confidentiality reasons (especially in sites like IPS and Workplace)
  • Some users feel more secure with not connecting too many pieces of their online life
  • Some users may not have any other compatible accounts (I have actually had this problem on some sites where they seem to encourage signin via “other stuff” and have no obvious “new account” mechanism - I leave those sites and don’t come back).
    And on the other hand, some people who really don’t care much about these issues will prefer a single signon based on one of the biggies - e.g., Google, Facebook.
    That being said, MVP includes create and manage internal accounts. If a new user comes in and we don’t have Google/Facebook/SE working, they can read without requiring any login and if they really want to ask a Q then they will create an account.
5 Likes

I think MVP needs two methods:

  • Passwords are necessary because not everyone wants to tie their account to a third party. They’re the only authentication method which is easy to use and doesn’t require a third party.
  • Some method that makes it easy for people to tie their account to Stack Exchange. This is in MVP because we want to make it easy for people to migrate from Stack Exchange.

Not MVP, but nice if easy to do: common identity providers such as Google, Facebook, etc.

MVP if we want to migrate Ask Ubuntu: launchpad.

Not MVP: second authentication factor.

4 Likes

I think this depends on what gets launched initially for MVP.

If you’re talking about a Q&A site which doesn’t require or rely on anything personally identifiable, then OpenID/common identity providers would be enough.

If you’re talking about a Q&A site which does require or rely on something personally identifiable, then that gets trickier since all OpenID/common identity providers tie to real-ish identities. Passwords would be good here too.

I’d really not rather y’all get in the business of storing passwords, though.

If we are talking about creating our own auth system - id probably venture towards SSO. Create our own IDP, we can then set up the site as an SP and use the same auth code for any number of IDPs - first or third party.