Hacker News new | past | comments | ask | show | jobs | submit login

I never understood "Login with ..." from a user-perspective. I'm supposed to enter my facebook/google login-credentials on some random website?

How does the user know its legit?




That's the whole point of OAuth - you don't enter your credentials on "some random website", but you only have to enter your credentials on the identity provider's site. Frankly I trust Google and Facebook to keep my credentials secure a lot more than some random website.


I wonder how easy it would be to spoof a "login with facebook" flow on a mobile app.


Can't be that hard.

On Apple though, your app might be taken down fast if you end up doing that. Doesn't mean you won't fool a few suckers though.


But how do I, as a website-user, know who I'm telling my credentials?


I mean, it is rather obvious if one has taken the time to go through such a flow (or even to just look at screenshots of how it works).


You can check the address bar and TLS certificate.


I can do that as a professional. But even I don't trust popup-windows for google/facebook/mybank opened from another website.

I prefer to educate people to only enter credentials when they opened the website manually by themselves. That is also easier than trying to teach someone who can't distinguish between the address bar and the google-search field, what a domain and TLS is.


So maybe an app could send a request to Apple, then require you to open a new window and log in to the Apple site, navigate to an apps request page, find the right request, allow it, then go back to the original app. Or maybe copy a really long string and paste it, then copy the response and paste it back into the app. But you can see why no one did it this way right?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: