
Ask HN: You're building an app in 2016 – How would you let users login? - somesaba
1. Facebook Login (or other social logins)<p>2. Phone number with SMS code<p>3. Username&#x2F;pass<p>4. Email&#x2F;pass (Email will need to be verified)<p>Would like to hear people&#x27;s opinions. Assuming the app doesn&#x27;t absolutely need Facebook&#x27;s social data, all the options seem viable with different pros&#x2F;cons.
======
jjoe
I think we're back to email/pass as a preference. Because folks are so wary of
apps requesting permission to their social accounts or people no longer using
said social network. There's definitely social fatigue in the air.

------
such_a_casual
I would try to get away with the most minimal thing possible. Ideally I would
do the same thing flash games have always done and create a cookie for the
user.

If they need to login from a different place, I would put a simple 1 line form
and button for emailing a link that would allow them to do that.

If it was necessary, I would give them the option to backup their account to
an email address. This would just set the hash to something new so that the
old cookie info no longer works, and they only have to click the reactivation
email.

If this is an account where virtual goods are purchased (like Steam) and so
there is actual value to the account, I would do email + phone backup. Phone
backups aren't good enough on their own because people switch phone numbers.
Emails aren't good enough on their own because people reuse login data all the
time. This is the only case where I wouldn't store login data using cookies.

Forcing registrations and logins on the user really doesn't make sense 99% of
the time.

------
codeonfire
In 2016 there are different levels of logged in: L1 - I think I know who you
are because you have a cookie or I remember your IP or browser fingerprint L2
- I definitely know who you are because you logged in during this session and
have a cookie L3 - I trust you enough to show you your user info over https
since I just asked you to log in and you gave a password or verified you with
facebook.

Obviously some bigger names are experimenting and trust their tracking enough
to do away with authentication for some things. Personally, I have an
anonymous mode on one site. It is "I don't know who you are but I remember
you." They can use the site and then convert to a real user with facebook,
google, or email/password.

------
miguelrochefort
I already have 1000 different accounts on 1000 different websites. I don't
want yet another one. Can someone fix that?

Fuck emails. Fuck passwords. I don't want to deal with any of these things.
What's the purposed of being logged-in anyways?

~~~
somesaba
This is an interesting thought. The point of logging in would be to save user
state, but maybe users can opt-out of that for certain apps... hmm

~~~
miguelrochefort
There are better ways.

------
chris_va
I chose to do Facebook and email/password.

SMS costs a very tiny amount of money, and didn't offer any advantages (you
can't get at the user's phone # on ios, so you cannot prefill, thus email had
a similar level of friction from the user's perspective).

~~~
pyvek
I've seen some of the large websites in India offer OTP (one time password)
login using SMS, which I personally have used many times. You enter your
mobile no, get an OTP and login with that. Removes the hassle of remembering
the password.

------
danielhellier
5\. Email a login link to the users verified email address. No need for a
password.

~~~
siquick
This sounds like the least user-friendly option available and a real
obstruction, especially if using the application on a mobile device.

Plus the whole thing becomes unsecure if users start forwarding the email to
others without thinking of the implications.

~~~
kleer001
> users start forwarding the email

What if the link is only good once? Problem solved.

------
brudgers
What will users get out of logging in?

Which is to say that the first options would be simply for the app to work
without anyone having to log in. That's practical for some apps, and of course
not for others. The larger point is that just as a login mechanism might not
be necessary, if it is necessary the choice of mechanism should make sense
given the nature of the app...don't use Twitter for a self-help app for
narcissism or Instagram for a seniors lifestyle app.

As for the alternatives, what good could possibly come out of storing
name/email and password pairs?

------
tmaly
I built a mobile web app, and I started out with just Facebook and Twitter
login. However, I have some friends who are privacy conscious and they do not
have social media. They would prefer to have a email/pass login option.

So that that is next on my list to add to this current project.

~~~
somesaba
Would you say that's a small percent of your user base? Most of my friends
hate the idea of needing to login via Facebook, but it is truly the simplest
for them - and I'm not sure if my friends are just disproportionately biased.
I'm also not sure if I want to depend on a third party.

------
jordansmith
Really it depends on the app, but for the most part I like to give options for
1, 3, and 4. Social login is linked to an actual account that can be used for
3/4 if they want.

------
IshmaelF
People really like email/pass, the more lazy ones use facebook and other
social. SMS costs money and I don't see the advantage of it.

