Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Everyone knows the whole email/password concept is broken. I believe that overall OAUTH is needed, but it needs a much stronger consumer facing view.



I'm not sure how OAuth can help. Does it allow you to choose whom to authenticate with, or does it tie you to one specific provider? I much prefer Persona, but Mozilla has abandoned it, and most resources around it are dead links. What a colossal shame.


I'm personally looking forward to something like SQRL.

https://www.grc.com/sqrl/sqrl.htm


That's also a nice protocol, but I think it requires too many extra things (mobile phone, net connection, etc). Plus, what if your key gets stolen?


It doesn't require a mobile phone. A client on your desktop can handle the authentication.

There's also a mechanism[1] to change your master key should it become compromised. Looks like a huge drawback is that it requires you to store an offline "Identity Unlock Key" somewhere.

[1] https://www.grc.com/sqrl/idlock.htm


A well-implemented OAuth implementation is wonderful. Sadly, many implementations are just crappy.


What's worse than crappy implementations is that every provider has their own version of implementation-specific crappiness that is inconsistent with everyone else's.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: