undefined | Better HN

0 pointsmajormajor3y ago0 comments

This is my experience. It's hard because it's very complex. As a non-domain-expert it's hard to separate necessary complexity from unnecessary complexity, but it feels like there's a lot of the latter, plus enough gotchas in the former ("oh, you didn't specify an encryption algorithm that we support in your request, and our logs are terribly unhelpful for realizing that") to make it a giant pain.

0 comments

3 comments · 1 top-level

gigatexal3y ago· 2 in thread

Is Webauthn a better standard?

lstamour3y ago

Not exactly. With webauthn the complexity lies in frontend - you have to explain how and why users should use this and what it is, how to manage enrolments and so on. Touch ID, Windows Hello and Passkeys might simplify this but it is still more complex to explain to less technical customers than, say, Face ID on an iPhone app to remember your login.

If you want an easy all-purpose login flow, sign in by clicking a link in email is still an easy fallback.

OAuth from multiple providers also has complexity - Auth0 makes it so you have to maintain separate databases for passwords if you want to support login via OAuth and login from password. You have to link accounts to login from multiple providers.

Logins are simply hard work no matter how you slice it. Eventually they will be easy but… I’m not holding my breath. :)

waboremo3y ago

If you were generally comparing standards: yes. Documentation with it is a breeze.

If you're talking about a "replace one standard with the next" type of comparison, then no. You can read more about why here https://oauth.net/webauthn/

j / k navigate · click thread line to collapse