How hard is it to implement email verification?

  • Echo Dot@feddit.ukEnglish
    30·
    15 hours ago

    How is it login with YouTube and login with Google two different things. It’s the same login.

    What website is this?

  • zorro@lemmy.worldEnglish
    131·
    17 hours ago

    I feel conflicted. OAuth gets a lot correct in so far as most sites don’t have to deal with a lot of difficult auth bits, but also I don’t like having to rely on big (usually social media) companies to be the auth source.

    I think about dnssec a lot.

    It feels to me like there should be some form of public key infrastructure where there is a global root key (or short list of) then providers that can issue certificates out to other smaller organizations or individuals who could then use that source of trust to prove who they are. Imagine OAuth but you could just fill in your provider of choice (self hosted?) and if the certs checked out everything would verify correctly.

    That being said who does the bits around ensuring that you are who you say you are. I suppose a government body running such a system could work though I sweat at the idea of going to the dmv to reset a forgotten password or report a stolen identity.

    Idk maybe if I think about this enough I can come up with a cryptography secure system…

  • CannedYeet@lemmy.worldEnglish
    221·
    19 hours ago

    I can see how they got there from the implementation side. There’s a library they used for their site, maybe a CMS, where all those choices are just a click away. But for email they have to get their hands on an SMTP server. And that takes non-zero effort.

  • it_depends_man@lemmy.worldEnglish
    2405·
    1 day ago

    How hard is it to implement email verification?

    Harder, actually.

    That’s the point of OAuth, which is what you’re seeing there.

    The idea is that you’re you and you have a… google account. This shitty little website doesn’t want to be responsible for you login details, because those can get stolen. Maybe they contain an email address, which is a problem. Software needs to be updated, it’s all a big. They don’t want to touch anything in terms of security that identifies you as you.

    Maybe all the website does is save your favorite pepe memes. They don’t need anything else from you, but they still need to have something to get a user id and make sure nobody messes with your pepe meme collection. That’s where this system comes in, because the rest of website becomes significantly easier. They don’t need to store anything personally identifying, all they get is an ID and they can connect it with your pepes.

    The only downside to OAuth is, as you can also see, that it’s corpos you don’t want to trust that are offering it.

    • skisnow@lemmy.caEnglish
      1·
      9 hours ago

      Most users outside of Lemmy dgaf about corpos if it saves them having to type in an email address on their phone and get it right and then go to their email and then hit refresh a few times before going back and hitting send again and then checking their spam folder

    • Wispy2891@lemmy.worldEnglish
      2·
      14 hours ago

      But most oauth implementations use the user email as identifier so they get the email anyway

      • it_depends_man@lemmy.worldEnglish
        2·
        7 hours ago

        All the smarter ones don’t because an email can change, your google account unique id will not, that’s the purpose of account IDs.

        I won’t deny that many people/websites probably do use email though. Which is bad. But I can’t deny that that probably is what is happening.

    • nieminen@lemmy.worldEnglish
      3·
      17 hours ago

      Yeah, some of the same reason everyone uses stripe or PayPal for payment systems. If the site itself handles the cc info it holds all the liability, and has to pass rigorous POC testing and compliance.

    • criss_cross@lemmy.worldEnglish
      26·
      1 day ago

      Was just about to say getting Auth right is super hard. Getting someone else to do it for you is a godsend.

    • lenocolomo@lemmy.mlEnglish
      341·
      1 day ago

      While I get that, it is still unfortunate that no open-source, trusted variant can be part of the usual ways.

    • fraksken@infosec.pubEnglish
      51·
      1 day ago

      I have no account with the above. I wouldn’t make one for being able to use another service.

      No idea what the product is here, but I guess I’m not their target audience. Which is fine.

  • BiscuityCat@lemmy.worldEnglish
    79·
    1 day ago

    It reminds of this:

    There were more options on the website, but I forgot the name of the website, and I cannot find it now… :(

  • StarryPhoenix97@lemmy.worldEnglish
    261·
    1 day ago

    If i cant log in with an independent email then I’m not logging in.

    I had the same problem yesterday as I was investigating tailscale. And while I get it for that service, there’s no reason for some of the other services that ask me to link my other accounts to them as a means of logging in.

    No. I will not consolidate my log-in profiles under companies that dont see me as a person, care about my privacy, and are working with hostile governments to track me.

    Semi-Anonymous or nothing. Period.

      • dustyData@lemmy.worldEnglish
        2·
        7 hours ago

        I hate that I can’t change the auth method. I’m stuck with github. And for the life of me can’t figure out how to change to anything else. The option is not there were help says it should be, and support doesn’t care. My only choice is to scrap everything and start a new network from scratch.

    • ikt@aussie.zoneEnglish
      91·
      1 day ago

      What do they get that you wouldn’t get from signing up regularly ?

      • DaddleDew@lemmy.worldEnglish
        211·
        1 day ago

        If you use the same Google account for a bunch of different third party websites, Google gets to associate your activity on those websites to you, giving them more points of data about you. They wouldn’t offer themselves as a login option if they didn’t make money out of it.

        Also if you use your Google email for many other services it becomes even harder to ditch Google afterwards.

        • ikt@aussie.zoneEnglish
          12·
          1 day ago

          and what does that have to do with the random website that uses it for oauth?

          • DaddleDew@lemmy.worldEnglish
            14·
            1 day ago

            The website doesn’t have to handle the code and security for their own login system, which reduces costs for them too.

            • ikt@aussie.zoneEnglish
              74·
              1 day ago

              right… so it’s not data mining it’s just easier to maintain

              somehow op has 46 upvotes for something that’s wrong

  • Artwork@lemmy.worldEnglish
    421·
    1 day ago

    Yes, I prefer an Email/password, too, so to depend less on third-parties, and keep it more transparent.

    Yet, OAuth/OpenID is significantly easier legally and financially than Email processing (even via outsourced services as MailChimp) and store someone’s personal information as Email address in databases, if compared to a social account ID, in long term.

    Not only that, but OAuth providers have APIs to get sufficient User information, and regularly actualize, including: Name, Email (yet, by requested/allowed scope only), activity on that social network as posts/channels/followers count etc., which may be a requirement for their Staff/algorithms to determine the priorities for transactions/support and/or security involved.

    • emb@lemmy.worldEnglish
      12·
      1 day ago

      This right here. I’d rather my email stay the source of truth for auth, but totally sympathize with website owners that don’t want to store and protect any sensitive user data (like an email address and password).

      I do wish some sites would offer the magic link option if they don’t want to keep password hashes. It has problems too, but can be a simple way sometimes.

      On some level I know the OAuth flow should be pretty safe. The idea that I have one identity that gets me into multiple sites makes a lot of sense. And I’m already using the same email in most places, so it’s not like I’m anonymous anyway.

      And yet… I can’t convince my paranoia that ‘sign in with Google’ isn’t oversharing. I always worry that authorizing with other sites will give too many permissions to see/alter Google/whatever data, or that clicking it will take me to a fake Google/whatever page where I give away my creds.

    • village604@adultswim.fanEnglish
      3·
      1 day ago

      Technically, using an email and password is being dependent on more 3rd parties to keep your information safe.

    • Artwork@lemmy.worldEnglish
      3911·
      1 day ago

      They do not, normally, unless you specifically allow that. Yet, indeed, many services enable/require quite permissive scopes by default.

        • iltg@sh.itjust.worksEnglish
          51·
          24 hours ago

          per oauth spec you get told what is shared. usually it’s just your user id (which often is email or username), i haven’t seen crazy scopes in the wild in a while

          • Tanoh@lemmy.worldEnglish
            2·
            17 hours ago

            Some services even have an option to only share a dummy email and not your real. Apple for example does this, so all the site gets is “[email protected]” (don’t know the exact format). And it is only tied to your real email address on apple’s side

      • valar@lemmy.caEnglish
        112·
        1 day ago

        Regardless of your privacy choices, if you are using a shared login, that activity is connected with your broader profile.