undefined | Better HN

0 pointspidge13y ago0 comments

You don't even have to make them set a password when they first register - just verify their email address and handle setting a password though the usual forgotten-password flow if you ever need to.

0 comments

6 comments · 2 top-level

dsl13y ago· 3 in thread

Remember when they changed everyones default email to be username@facebook.com? Yeah, thats pretty much all you're going to get from the API.

rohamg13y ago

A) not true, the API releases "primary email" which is usually NOT facebook. and B) even if it were that's why you check and verify: if u pull a @fb address don't save it, just prompt the user.

To me as both an app user and developer, single sign on feels like the Right Thing To Do. I'm sick of running through the same sign up flow for every single service I use, like a hamster wheel. Maybe the solution isn't fb, it's some kind of apple or google SSO? Why aren't AAPL and GOOG pushing their own SSO hard on the mobile ecosystems they control?

dsl13y ago

shrug maybe all my developer friends are wrong. I don't bother with FB API.

The solution is definitely not Facebook, Google, or Apple. They all plugged SSO into an existing platform and allow developers to perform actions on my behalf with the same credentials. Sadly, Microsoft's Passport.net was the closest anyone has gotten to a real solution because they treated their own properties as just another consumer. They killed that by trying to tie it directly into your Windows login which are inherently insecure.

chii13y ago

> Why aren't AAPL and GOOG pushing their own SSO

because neither of them has a controlling amount of the required market (which is basically the entire internet!).

Mozilla has a project called persona (http://www.mozilla.org/en-US/persona/), which aims to solve this by splitting the login from verification and authentication, but preserves privacy (unlike oauth). If vendors of services can give up their desire to control the userbase, this could be the solution.

filip0113y ago· 1 in thread

Why even verify their email address? It's already been done by Facebook?

engtech13y ago

Verify they still have access to that email.

A lot of people have 6yo+ facebook accounts. I quite enjoy the fact that my verified facebook email goes to a dead account that I only monitor on a 6 month basis... it saves me from a ton of spam.

j / k navigate · click thread line to collapse