LESS OF MORE
Home About Author
Sep 20, 2021 3 min read authenticating users

Authenticating users, what do I need to know?

Authenticating users, what do I need to know?

The old days of password

A not long time ago, password logins were the standard way to authenticate app users. It was just a simple matter of saving users' details in the central database and queried them when needed.

And Social Media Login buttons

Then the social login trent popped in, and all the apps added facebook's and Twitter's login buttons. It increased user conversion by reducing the terrible UX of creating a new password. It also increased complexity due to the dependency on social media platforms APIs to connect to and introducing potential breaking changes. Not the kind of problems founders wants to deal with.

Passwordless

Password, social media, and then what? Then came magic links logins. They cleverly allow users to log in to your app by clicking a 'magic link' sent to their email. Simple and effective. However, it has a small trade of which you should be aware. Users must log in to the website from the same browser they'd opened the magic link. Otherwise, the browser will not recognize the user.

Two factors authentication (2FA)

Allowing users to log in to your app from a link brings a beautiful user experience. It raises some serious security flaws that you should consider if the app deals with sensible content like bank data, addresses, etc.

Using a secondary medium to authenticate users like a text message on top of the primary password dramatically improves security.

Alternative to using mobiles texts to send the confirmation code, you could use authentification apps like Google Authenticator or DUO. These are a popular choice among banks and crypto exchanges. They provide a time-based unique code and force users to have another app, making onboarding a bit cumbersome.

A hybrid solution with simple magic links for soft interactions ( linking, comments, sharing content, etc ) and 2FA for the delicate stuff is by far the best option. Users will happily embrace the increased complexity based on their interaction with the app.

Do we need to deal with all of this?

No really. There are many web services providing authentification infrastructure for your app. They usually provide a login/signup widget for easy implementation. Ideally, it should also offer an access API, so if your needs have overgrown the default settings, you could create a custom one.

Some of the leading providers worth considering are:

Auth0:

Auth0 was the first service to start offering the social login widget, and it currently provides many options to administrate users for mobile and web-based apps like:

  • Login and signup widget: They are easy to embed in a website. Forms input fields are customizable, and you can add new ones.
  • Data hooks: Adding little scripts that run between users' interactions with the service allows interesting flows like validating the users' data against other APIs or enhancing profiles with external resources. It is by no means powerful but increases complexity and fragmentation because the code lives in the Auth0 dashboard.
  • Magic links: Auth0 allows adding magic links quite simple by tottle of a cursor.
  • 2FA: Auth0 allows free 2FA with their app and DUO login. You'd need to pay a text provider like Twilio and have an Auth0 premium account -- FROM $10K -- No really a realistic option --

AWS Cognito:

With up to 50K users for free, this is a more than juicy option, mainly if your app is hosted on AWS.

Cognito provides a login and signup widget, with many social medial logins from many providers. Magic links and 2FA require custom code and connecting a bunch of services together. This is where in my experience AWS gets petty tricky. It has a vast plethora of use cases and confusing documentation. Unless you have a developer with extensive knowledge of it and plan to stick using it for a while, it's not worth the investment.

Magic.Link:


It is an exciting option, the underdog packed with lots of potentials due to its revolutionary approach of using blockchain to secure users data. It supports popular blockchains for decentralized apps ( dApps ) like Etherium and Polygon on the crypto side and social media logins and biometric with WebAuthn. Users also get a blockchain address. Therefore It is the only option that offers an authentification system with a crypto wallet. This combination provides the best UX for dApps.

The future:


I believe the future lies in biometric ID  identifications; we all have unique fingers print or unique face fractions; why do we have to remember passwords.

Published by:

ruben
Share Tweet
LESS OF MORE © 2024
Data & privacy • Contact • Contribute → • Published with Ghost