I'd rather set up login functionality on my own server. If you use a third party service, their downtime becomes your downtime. Worse, you're injecting another company into your relationship with your users. If that were necessary, I'd choose one the customer was already familiar with, like Google, Facebook or Twitter.
Setting up login isn't very difficult and libraries exist for most webdev languages to make it even easier. It's definitely not worth 5% of my revenue.
Login management should be built into the browsers instead. Imagine a UI where you go to log in and instead of a text/email field for login and a password field you get a drop down with a list of your personas that you’ve created with the option of adding a new one. Under the hood it would use a public/private key pair to authenticate you with the site.
Browsers could implement a service that backs up your personas and syncs them across your devices. Ideally the syncing should be cross browser too and allow me to use my own servers for this if I choose.
That sounds very much like the goals of Mozilla's Persona service. While it required a separate service and some JavaScript, the idea was that it could be supported natively by browsers in the long run.
Unfortunately, it was shut down in 2016 due to lack of interest. (Coincidentally, I just spent this past week hacking on its source code.)
Yes that’s pretty much what I was thinking of. It’s unfortunate Mozilla couldn’t keep it going. I wonder if a browser extension could make this work as a way to pave the way forward. Or if like LastPass could add such functionality.
I don't like this idea, it makes using a public/cafe computer impossible. It would also force me to have a work browser and personal browser on all my devices. I am also not a fan of google chrome trying to log me into every site with my google profile.
It isn't necessarily any worse for public/cafe computers. Just like any login system, the UI should have the ability to remember you or not.
With the browser acting as your user agent, it can manage multiple contexts (work, personal) and let you choose which is sent to each site, without the need for separate browsers for each.
As an added tangent, consider that browsers are one of the few places where we can do things like "temporarily log me out of everything" (Incognito Mode / Private Browsing). They have some level of sophistication in session management already.
> Login management should be built into the browsers instead.
I would go even further than this, and say that a cryptocurrency might be among the best ways to build a universal login system. Imagine an Ethereum-like coin where the wallet is the username, and you spend the coins while authenticating, gaining privileges, and the blockchain stores your public info like a username and avatar that you can bring to any website.
I don’t want every login to become a part of the public ledger. Do you? Also, crypto currencies are a good solution for one thing only: electronic currencies. Outside of that they are a poorer solution compared to what’s available now. Every time.
> crypto currencies are a good solution for one thing only: electronic currencies.
What is a better solution than building a tamper proof workflow in the blockchain? Examples include:
1. I sign a contract and the notary signs and uploads a copy to the blockchain to validate the contract contents, that it was signed and by whom, and when.
2. An auditor validates a piece of evidence a client provides that proves its in compliance with a particular control in some regulatory framework. The auditor uploads a SHA256 hash of the evidence in a transaction memo to the blockchain to validate against later in peer review, a lawsuit, etc.
Edit: My examples here refer to a valid use case of a blockchain and not cryptocurrencies which is what you mention, but based on context of this discussion it looks like we all actually mean blockchain and not necessarily cryptocurrency.
Those are useful examples of a blockchain. But when I log into GMail I (a) do not want this fact to be a part of a public ledger and (b) I don’t need this to be trustless. The latter is an important point: I already trust GMail with a ton of my data including the ability to reset my credentials. There is little value gained and a lot of simplicity lost in adding a blockchain to the mix.
Blockchains have several uses but to date they are narrow. Everywhere outside of their core use cases (essentially contracts or keeping track of tokens of value) they are a hindrance. Blockchains are also hugely inefficient by design (if they were they’d be easy to crack or to perform a 51% attack on), so when you are communicating with a single third party which you trust to provide a service to you, you absolutely do not need a blockchain. We have seen time and time again people trying to throw this solution at all the problems from DNS to buying groceries and yet the only solutions still worth talking about remain cryptocurrencies. Turns out well defined client/server APIs and databases actually do work about as well as anything else.
In the spirit of discussion, what could you do if you involve a blockchain in logging into GMail that you absolutely cannot do without it? If the answer is nothing, then there is zero reason to go down that path.
I agree with your points and overall sentiment, I'm simply rebutting the initial statement in your parent comment,
> crypto currencies are a good solution for one thing only: electronic currencies.
You contradict yourself by stating above you believe there's only one valid use case for blockchain, but in your most recent comment you obviously admit there are several valid use cases (though admittedly a limited number). Maybe your initial comment was meant for emphasis and not literally that you believe there is only one use case, but be careful using quantifiable verbiage or hard numbers to portray emphasis without explicitly stating that's what you're doing, your credibility gets called into question when doing so.
I definitely don't think it's /useless/, but I wouldn't use it. Someone out there wants a dead simple login solution that they can get running with a handful of lines of code.
That being said, if this was /self hostable/, I'd see myself using it on a few projects.
(You know, you can get proper italics. Wrap it in asterisks. Some discover this by accident when it mangles asterisks they meant as literal asterisks.)
While there often are built in modules for lots of platforms, it often becomes not so easy out of the box when a platform scales. Adding login to RoR is easy, but what if there suddenly is a wordpress site serving the articles, some java backend services handling other aspects etc. Or just generally lots of services that are separate. Then one suddenly needs a central authority not built in to any one service.
Then I've seen lots of people offload that to Auth0 or other managed services.
As an Auth0 user, I agree it’s not hard to setup user logins for most frameworks. The reason I’m using Auth0 boils down to business reasons not technical ones.
- If I cant make enough money per user to even pay for Auth0, why am I working on this?
- Auth0 provides more than login, its got logic related to token re-validation, signup pipelines, social platform integration, etc... sure, I could build each of these as I needed them, in fact I did previously build them for myself. However by using Auth0 I know in advance that all this kind of functionality will be available when/if I need it.
- Easy cross system auth. If I want to build something using separate services, like a front end in one tech stack and a backend/admin using a completely different stack, Auth0 makes it so easy to share logins, roles, and permissions between the two systems without having to work out how to handle it myself, or within having to run my own third system like my own installation of Keycloak or building my own equivalent to it.
That would be an ideal scenario for a SSO system. There are open source solutions like Keycloak, IdentityServer etc. While they are nice thanks to the functionality they offer, I recently tried Keycloak and found it extremely annoying to maintain thanks to the not great documentation.
Managed services like Auth0 are a great alternative, although Auth0 is one of the more expensive ones.
For small apps I found Firebase Auth to be great, for larger projects things like Amazon Cognito or Azure AD B2C are probably the better choice (although Azure AD B2C still doesn't support custom domains). They are worth a try imho, since Amazon as well as Microsoft offer a generous free teir (50k MAUs for free)
If I had some smaller website that I charge nothing or barely anything on, I might. If I had a bigger SaaS product, probably not. I wouldn't say your pricing is necessarily unfair, but paying 5% for what is probably a very small part of the application, I couldn't stomach.
A percentage fee, or even a per-user fee, would push me to do it by myself. A bad login mechanism takes a couple of hours to be integrated. A well done one, could take maybe a week (very well done, 1 dev, extreme case), but a percentage fee for any kind of decent revenue would reach that same cost within a year.
I see this working maybe for a single dev shop, but then you might prefer saving every cents you want.
Paying a fixed fee might work, but if you start charging per single user, it's problematic. I can see some value if it's per bundle of users (e. G. Every 10 users the pricing increases)
I have to say I'm personally pretty allergic to fees. Even Stripe's fees are above what I really feel comfortable with, but I'd probably pay those to deal with payments less. Anything above 1% and I'd probably be out, to be honest.
As an alternative to a fixed percent, I'd feel a lot better about a model where the fee gets progressively less with a larger amount of users. This may or may not be a personal thing.
FWIW: I think the user you are replying to is honest but an unusual case.
5% on payments might be OK until things starts to take off.
Source: I've helped launch a successful business with Shopify and Paypal 10 or so years ago. Maybe could have saved a lot in fees but that solution was so nuch easier than the rest that it was easily worth it.
Edit: the webshop and payment solution was later changed to something less expensive.
While it's interesting that you're thinking outside the box on pricing models, I would personally never signup for a login service on a revenue sharing basis - I'd much prefer a monthly fee (the standard SaaS model). The percentage also seems way to high in comparison to the value-add - Stripe, who actually process the payment, are taking less than you.
Having said that, I don't think I (or most of HN) would be the target market for this kind of login service.
But I wonder if you can find some kind of niche. Something for individuals and micro businesses that have no tech chops and just want an easy way to sell stuff. For that though, you'd need to go further than login, perhaps turning it into a WordPress plugin (or for another platform), and doing something to provide sales through Stripe, so the user doesn't have to build that themselves.
I think an issue to monetize this is that if you build a web app, you are going to have a way to send emails, and a "users" table.
Implementing email login on top of that is probably as easy as integrating with an external service, without the risk and the concerns about leaking user emails.
I am afraid, I would not use it. As others pointed it out, login is such a small part of a system that it's not worth employing a 3rd party service to get it working.
Also, using this service requires trust. I personally don't use nor implement FB, Google, etc logins either as I don't trust them.
Wouldn’t it be „wrong“ to teach my users to trust login emails coming from a foreign domain? Also, how do you plan to keep your emails out of spam folders and blacklists? From your website it wasn’t clear to me how I would check the login code for validity.
Original intent notwithstanding, defaulting communication to a junk box is absolutely the correct stance given the current signal to noise ratio in email.
This is actually a really cool idea. I think the people who are saying they don’t want to inject a 3rd party in the middle of their business are missing the point or are working on projects large enough that this doesn’t make sense.
A 5-7% overall fee (once stripe’s fees are taken into account) could make sense for a lot of small businesses that don’t want to manage this stuff, although I feel realistically you could reduce your fee significantly for larger customers.
The fee structure also starts to make a lot more sense if the focus is less on login, and more about making it really easy to monetize your product (different subscription tiers, gating features, pricing suggestions, funnel analysis, a landing page generator, etc).
Regardless I’ve built side projects before that still have lots of daily active users that I never monetized because I couldn’t be bothered to do all the payment and subscription integration work.
If I could start a new project today and know that I have:
1) User management (auth, password reset, etc) which is tedious to reimplement
2) Payments
Working from day one that’s a very enticing idea, although you’ll need to build faith that your service is reliable and will be around for a long time to get people to start using it.
My email is in my bio, feel free to reach out, I’d love to chat about it a bit more.
If my app is small, I'll roll my own or use the free tier from Auth0 or Okta.
If my app gets big, I'll roll my own or pay for Auth0 or Okta.
Like a lot of SAAS ideas, a login service is: too critical to trust with an unknown, already a mature SAAS offering elsewhere, and easy enough to implement yourself if you don't want to pay for it.
I like the idea but what benefits do you provide over using SSO with Google and setting up stripe myself? I'm not sure ease of use would bring me to use you over what is currently available
I am currently using Auth0 which has all the cool functionality of logging in with 3rd party services, user management, and so forth. I think I am paying them $25/m to use it, something fairly trivial but non-zero.
If I were getting started with logins again, I'd say I could pay you $250 one time just to download all the code, and roll it out on my own systems in minutes. This way I'd have user auth with easiest setup, and no need to reinvent it on my own. Probably.
But, are you just testing things, or is Login.land real? Since your own login system asks for password, instead of email-based auth like you are showing in the screenshots, I suspect that maybe this is just a test :)
Definitely early stages – mostly looking for feedback on the landing page / demo!
Agree that it’s hard to compete with more full-service solutions like Auth0/Firebase. Maybe there’s some variant of this, like self-hosted, that could work :)
I'm currently building a kind of game website that needs a login system.
I like the idea of going passwordless and just checking an email and clicking a button. That seems low friction. I like that you don't require a credit card from me. I also don't expect to charge users ever so I like that the service would be free.
On the other hand, my hope in building my current project is that I'll show it some people and they'll enjoy it and I'll keep working on it and more people will keep using it etc. If that does happen I'd want complete control over the login system and I'd hate to be in a situation where I couldn't make changes to the system (or remove your component) because my users were already logging in via loginland.
For example, I imagine a future where people love my game it's taking off, but there are problems with your service. If I replace it, I have to figure out a way to preserve the accounts and logins of current users while simultaneously giving a good experience to future users. It seems easier to just do a minimal login system on my own now and improve it as needed.
Finally, if I were in a money making venture, I'd have the same concerns plus I'd realize the cost of 5% is probably disproportionate to the savings - which would be having to implement a very well understood solution.
My first thought when I was going through the page: HN will not see much value in this given it's a highly technical crowd.
I urge you NOT to get discouraged, and to chat with non-technical online small business builders: you'd find many who market primarily on Instagram, who are just figuring out how to get a nice website for their brand.
I see a lot of value if you position your service as a way for them to offer a tiered loyalty program for their customers: i.e. "log-in via loginland, buy on our site and rack up points that you can redeem later!".
Not sure what the integration would look like with their existing website builder stack, but could be fruitful to look into this.
Also, there are MANY brands looking to spin up their first online store for their brand - may even make sense to offer a very basic product listing that lets them sell products and manage loyalty programs easily with their customers.
Just a few suggestions that stemmed from recent conversations with founders of these kinds of small scale Insta-marketed brands.
Following up on @kupuluri's note, focus heavily on a very simple very clear tutorial/walkthrough. If you can't make the tutorial simple, keep iterating on the product until you can.
Okta and Auth0 and Cognito are big established competitors but their products are complicated. If you've never done auth before it's not easy to figure out which of the many approaches and examples those services offer is the right one to use, and it's a big job to puzzle through and get them to work.
Handle the 80% case incredibly well with an incredibly simple tutorial. Leave everything that won't fit into the incredibly simple tutorial for later.
TLDR: Our company's target audience is small brands that market primarily on Insta & Tik tok w/out websites yet - in India. So far, it's been a very manual process to build a list of them. After every conversation we have, we ask them for referrals (interestingly, Insta-based small business owners seem to be well connected in India). There are also event organizers that have insta profiles where they showcase brands that present at their events.
I recently made the toss up between Auth0 and my own system. Ultimately I couldn't bring myself to use Auth0, it wasn't the price but the lockin that got me. Being able to log into a product is a key gate and I don't want to lose control over that even if it is slightly more work in the early days. What's more, it becomes extremely hard to migrate away from.
As someone else suggested in here, I'd be happy to do a one off payment for a system under my control. However, a handing over the literal keys to my product is not something that I'm comfortable doing, especially without reassurances that I can easily migrate away from it. The fact that there are so many good libraries that deal with the most painful parts of this just make the sale harder for me.
Your fee example seems either plain wrong or dishonest. If you use Stripe to handle payments, the fee of using your service must be higher than using Stripe directly. But you claim that Stripe would take 35c, but you only 25c.
I’ll try to make this clearer, thanks for the feedback! You’d pay both, the Loginland fee on top of Stripe’s rate. (This is a pretty common pricing model for platforms – BuyMeACoffee has a similar 5% rate on top of Stripe). Open to suggestions! :)
If so, that‘s what I would call dishonest pricing. I expect you to tell me your fee, and that should include all your internal cost of providing the service. Sounds like an architect selling a house for 10k. But wait, footnote says „don‘t forget the contractors will take an additional 100k“.
Why would the Login website redirect to Loginland instead of just sending the email directly and displaying an "please check your email" popup? One less page load.
Why would the email redirect to Loginland, not to the original website? OK maybe that's absolutely necessary because of some invasive anti-privacy user tracking, but even then, why would Loginland website tell you to close the window and go back to the original window (what if the user closed it already??), which would only then redirect to original website?
- for trivial projects, I don’t want them to stop working one day
- for more serious services, moving login to a third party is a huge risk. The upside isn’t worth the risk. Even if it did your pricing is way too expensive, but that could be fixed.
No, not me personally, however if someone lacked the skill to build a login system and lacked the risk aversion to outsourcing it (which I’m guessing is not uncommon because that risk aversion comes with experience) then perhaps there is a market at the right price.
I'll comment in an end user standpoint. I'm not trying to debunk your idea. I know, having an idea and acting on it is a hard thing and kudos for that. I would love easier login process on every site.
I don't know your likely use case or target market. So I'm using an imaginary one based on my usage.
Disclaimer: I'm not your average user. I use password managers heavily. But on the other hand every browser have some kind of integrated password manager.
My imaginary scenario has these assumptions:
- This website relatively simple and offers unimportant service because otherwise it's not a good practice to use this service. So my security need relatively low.
- I'm using this site relatively often. Maybe a few times a week. Otherwise these points are not that important.
My imaginary scenario has two cases:
- I'm using my regular PC & Browser
On a website using this service, I always have to open my email address and click a link to approve login. And if there is a "Remember Me" option only the first time. So my cumulative additional cost between somewhere 1 - infinity extra steps.
On a regular site, I'm already in here. I'll just hit a key combination for password manager and I'm done. And if I'm using browser's password manager I'll probably just need to click login.
- I'm using a new PC and/or a brand new Browser/Profile
My email address has 2FA active with a really complex password. This just caused me unnecessarily 3 step instead of 1 to login.
First thing I noticed, hovering the big "Get started" button did not change my mouse cursor to a link-pointer. Just a small suggestion :).
Edit: Also, after clicking on "Get Started", the first field (email) should be in focus so the user can start typing, without having to move their mouse and click it first.
Edit 2: I love the simplicity of this tool. The interface is pretty good (but not yet great). How can I contact you?
Anything that requires me to traverse through different applications to login to a website, unless it is managing my money or very sensitive personal information, is NOT SIMPLE.
And for those which require more than one app to login, I much prefer tried and true 2FA apps like google authenticator or Authy or RSA tokens etc. Email is inherently insecure. Why make my 2FA an email?
You enter your email, get taken to a page that tells you to open the email. If you close that page then you can't login even after clicking the link in the email as you need to leave that tab open, open a new tab for your email, open the link in the email, close that and go back to the original login tab.
Why can't you just click the link in the email and you login?
It’s not free if you ask for a share, therefore the title is misleading. Maybe title “I built a simple login service” would be more fitting. However, I would need to question simplicity as checking your email is far away from simplicity UX wise.
I wouldn’t use your service if you would pay me to use it. Comparing your service with Stripe is just ridiculous...
I can definitely see myself using it when creating an MVP, but longer-term I'd probably set one up myself.
In terms of the pricing, it may be worth considering a cap (e.g. 5% on successful payments up to a maximum of $Y a month), otherwise, you might find that your entire userbase ends up being comprised of early-stage projects that are making little to no money.
It seems interesting but does the user have to check email any time he/she decides to log in to my service?
If so i don't consider it interesting.
I would consider very interesting something similar to firebase authentication without having to include all the google privacy killer stuffs and for free.
(Edit: i didn't read the text where you explain how you make money)
Thanks for the feedback! Currently passwordless email confirmation is the only supported login flow, but I’m thinking about building alternatives like Twitter OAuth, or a password based flow.
Does the pricing model make this less appealing to you? Open to adjusting it!
Well since i'm interested only on the auth part, it would be ok for me and if i had to charge i would implement Stripe my self in the project so i'm not sure you will be able to raise a lot of money
As a software developer, I wouldn't use this service. But if I was someone without my skillset trying to build a no-code / low-code MVP, I definitely would try this out! I think that may be your sweet spot. I don't think HN is your ideal audience.
This is really cool, and its an interesting way to try to monetize what would otherwise be a relatively small service.
The big issues here are trust and security. Before using a third-party login, especially if it isn't one of the big ones, I would need to understand more of how it is handling the data. A breach in your service translates directly to a breach in mine, and the intro page does not describe many of the details.
Does using your service offer the end users any benefit compared to a third party login or built-in login service? As it stands, it seems like they will be giving their email address to yet another company, which may erode their trust in my own service.
Google signin is used because of Chrome/Android(Or browsers in general because of Google account which many people have it atleast because of Gmail).
Apple ID( their login ) is useful because of Apple ecosystem which constitutes IOS,MacOS,etc.
So,there is no appealing reason to use your product. What if it is down in future? Also,it's closed source and not federated.
I am interested in federated login system(Probably OpenID based?)
Think it like a single self hosted login system for all Gitea(which may happen in future)/Gitlab instances or federated open sourced self hosted(or company hosted) alternative to Google signin , speaking common protocol.
The market you want to target is people who aren't software engineers but want to run a simple website. The gulf for someone who just wants to serve a static html site but wants to have some content that requires secure access is huge right now.
Consider the use case for a person buying woodworking plans from a website. Payment required to access pdf plans, but the owner of the website wants to set it up once and not worry about it, and not to have to learn anything more about coding than they have to.
I believe people call these "magic links" or "magic URLs". There is definitely a market for it, I recommend searching for competitors and see what you're up against.
I tried setting up an account and got a Firebase error, but generally the answer is no. Sorry.
I'd have to have faith that your implementation of the login flow is more secure than one I could build or get elsewhere. Any weird security smells (like the login page differentiating invalid user email address from invalid password and leaking Firebase errors to the user) are going to lead me to believe that the code hasn't been reviewed from a security perspective.
Thanks for the feedback! This is definitely early stages – mostly looking for feedback on the product and landing page, but I’m definitely embarrassed you ran into that Firebase error! I built the admin side using Firebase auth to get started, but have been planning to move it over to Loginland...
I would only use it if I needed to create a quick MVP/PoC but then I'd fastly run to implement it once the idea is validated.
In addition to the reasons already mentioned here, I'd say login is one of those features every language has a ready-to-use library for.
Also, it might be that a certain ACL is required too, which is typically very specific for your domain.
While I like this a lot, I don't like the idea of creating a new customer in Stripe every time someone signs up as a free user. Perhaps this works better for other types of businesses.
It's a fun project, and kudos for shipping something at all!
My honest feedback:
There are already a host of services that do authentication, and a host of services that do payment and subscription management, and the leaders in each of those spaces are actually quite good. Loginland currently sits in the middle - it's not the best authentication system, nor is it the best payment system. It's just a little bit of both.
So, how do you combine the individual value of those services into something that is distinctly valuable? An interesting example in this space is fast.co. I have no idea if they will ultimately be successful or not. However, they verticalized specifically to e-commerce and combined login + checkout to a single step that is significantly easier/faster for the customer than a conventional checkout process. The pitch to the seller is: higher conversion rate, meaning more revenue (and we can potentially reduce fraud in the process). Among other things, they do this by opting for a fixed-time instant cancellation window after the order, rather than putting up a confirmation page beforehand. They use the strength of the identity system to streamline the checkout process, which is a unique merging of those two things that provides real value. There's also not much downside, as the traditional e-commerce customer doesn't associate much value with customer identities in the same way that a SaaS platform might. As it currently sits, I don't see that value unlock for loginland, so it feels like a mushy middle position.
Another direction here is thinking through how media is monetized. Right now, most major news publication (NYTimes, Washington Post, BBC, etc) have login and identity management mostly for managing subscriptions to news content (the identity itself isn't a ton of value to these companies). I believe there is probably a business that can be built around offloading identity and payment for these companies (customer has a relationship with loginland, loginland can get me into Washington Post content in a single click). Helping news companies shift more of their revenue from ads-based to consumption based or recurring would be huge. This business may already exists in several forms (I personally know a founder that started one which ultimately did not work out), but is another example of a vertical play.
In short, as you navigate next steps for this product, I'd advise you to keep an eye on where your customers will really get value from you. Streamlining identity management or checkout might not have as much of a conversion lift for SaaS as it would for other industries where purchase intent is lower. Look first for those, and see how you can best help them. Don't get discouraged by the comments here, though. Often times tiny tweaks make all the difference between success and failure.
Thank you so much for this thoughtful comment! I really appreciate your feedback, and the encouragement :)
I totally agree with you that it feels like this product currently sits in a weird mushy middle – not a great fit for coders on HN, and not differentiated enough in the crowded no-code-storefront space.
He does not have to be there in 10 years. If his service where to go away you just change the login system to something else, there are open source alternatives. The id is the email, so there is no lock-in. That's for the login-part at least, adding stripe manually on top would be a bit more complicated, but doable.
Why would anyone use this? Just write your own login, it's not hard, and you don't have the dependency on a 3rd party site that can go down at any point in time.
I agree that writing your own login routines is not hard, except I wouldn’t want anyone to have the impression that it’s trivial.
It’s not trivial. It requires some knowledge to do it well. Off the top of my head—choice of unique identifier, password complexity rules, hashing best practices, registration flows, recovery flows, abuse detection, markup hinting for password managers... I could go on.
I'd rather set up login functionality on my own server. If you use a third party service, their downtime becomes your downtime. Worse, you're injecting another company into your relationship with your users. If that were necessary, I'd choose one the customer was already familiar with, like Google, Facebook or Twitter.
Setting up login isn't very difficult and libraries exist for most webdev languages to make it even easier. It's definitely not worth 5% of my revenue.