|I'm a solo developer building a consumer website in which users must log in to access the content. I'm curious what your preferences are for website log-ins.|
- Security is important. It would be bad if a malicious party gained access to emails and passwords, since people often reuse passwords across sites
- I am not highly-skilled in web security (not my background)
- Companies, such as Google, can do security better than I can
Options I see:
1. Do it all in-house. Users create an account with a log-in and password, which I store and secure.
2. 3rd part log in, such as Google. Users log in with their Google account, and I don't store any password data.
3. "Magic Link": when users want to log in, they receive an email with a link to log into the site. I also don't store any passwords.
#2: It seems some people don't like using these. Reasons could be: not trusting my site, wanting to create throwaway accounts, not having a Google or other 3rd party account at all.
#3: I like these, but it adds a step where users leave the site. It also seems that relatively few websites use this style of authentication?
#2 and #3 also reduce ease of use, since users won't be able to use a password storage application such as LastPass. They'll always have to go through additional steps (clicks) to log in.
I think the end result is some combination of these, but not all 3. It would be helpful to hear your perspective: if I'm overestimating the difficult of securing password data, what tradeoffs I should consider, personal preferences on the above, and any options I may have missed. Also wondering if 2FA is an absolute must for this type of site.
Also note: I do payment processing via Stripe, and don't store credit card info in my databases. The most financial damage someone could do on my site would be to purchase a single monthly subscription. Of course, there is a greater risk if people use the same email and password log in as they do for their banking, for example.