Worrying about situations like this is exactly why I try to avoid SSO at almost all costs for personal stuff, and instead prefer to use a username/email and a unique password.
I really feel for any developers who are impacted by this, as well as users who may not be able to get to some of their data.
Hopefully it's temporary, although with the Doge icon who knows...
Avoiding SSO to keep access even if you loose access to bigCo email has been working well, but unfortunately more & more websites are moving away from password to instead verification code in the email.
Sure there are advantages to it, but if the email is bigCo, it effectively has the same drawbacks as SSO from same bigCo (i.e unfair account suspension, you're screwed)
With email+password, even if you lost access to let's say your Gmail, you can still login with that Gmail address and your password and go change the email in your account profile.
Yeah. I've moved most of my critical stuff off my GMail address onto a Google Workspace account, just sucks that not everything works with a Google Workspace account. I am just hoping that actually paying them money makes it a little less likely my account will get suspended.
I also don't use the account for anything that could get a suspension. No public user content, not used for SSO, and I don't have anything programmatically accessing my account. I know there's still a non-zero chance of getting nuked, but my risk as near zero as it gets.
SSO idp would generally pass an email address through to the service, no? I could be mistaken about that, but if so, then you'd still have access to a password-recovery-by-email if the identity provider shuts down.
I've seen many systems that disallow the password reset flow when you sign in via SSO, since the expectation is that you as the service provider are not the authority for the user's identity.
I completely understand this, but for me this would be very difficult. I use mfa with 3 tokens (one I keep on my person, one by my home computer, and one in a safe place). If one were ever to be lost or damaged it would be a nightmare to have to go through every online account to replace it with a new token.
On a side note, I haven’t been able to login to Twitter for a long time. Every time I try with email, phone or username it prompts me that they can’t find user. When I search my own username without logging in it just shows up perfectly. The login has been broken for a long while now.. I hope they are tooling away and fixing it, but unsure
I was happy seeing this news headline, as Twitter stopped accepting my TOTP after I successfully changed my password in December. I haven’t been able to log in since then, Authenticator step failing. Alas, it seems as if I missed the window; 2FA is now back being required.
For anybody where this is a thing, copy the "auth_token" cookie from FF to Chrome. I also copied the "twid" cookie for extra measure (seemed relevant) - but I'm not sure if it's necessary.
Am half expecting some serious security related bug has been found in their SSO, thus them turning it off without warning until it's resolved. But, who knows...
I’m mostly impressed how shite the ”webscale” codebase is, if everything bursts to flame the moment the programmers stop babying it. Considering how many man-hours they’ve poured into the product, you’d think it would be somewhat bug free
Come back in a few years, when you’ve written software at this scale and at this velocity. I’m interested to hear what the experience has to teach you, and to see how you grow as an engineer beyond this kind of uninformed nonsense.
I'm not the one you're replying to, but I've worked on software, for far more critical infrastructure than Twitter, that has run unchanged for over 3 decades.
You only hear about the failures. You don't hear about the systems that keep on working.
and to see how you grow as an engineer beyond this kind of uninformed nonsense.
In other words, "grow as an engineer" means "parroting the lies that keep you employed"? As the saying goes, "it is difficult to get a man to understand something, when his salary depends on his not understanding it". And that explains the sad state of most "modern" software.
The comment specifically asked for advice on software that changed with the same velocity. It’s the rolling out changes part that adds the interesting risk.
Exactly. Software that changes as frequently as something like a Twitter (or anything of that ilk) never has the chance to reach that kind of stability. Your thirty-year system wouldn’t have the track record it does under the same set of conditions.
> In other words, "grow as an engineer" means "parroting the lies that keep you employed"?
I’m not sure what kind of leap you’re making, but it seems breathtaking.
In any case, you’ve clearly had the privilege of working on software under vastly different constraints and timeframes. That sounds fun, and interesting, but it’s comparing apples to oranges.
I wouldn't exactly characterize this as "the moment" that it stops being babied. Twitter agreed to the sale a year ago, and the sale was completed last October, about 5 months ago. Plenty of time to accidentally break a dependency somewhere, even if they're not actively developing or maintaining it.
Or it could be the fact that Elon is trying to have his employees work 24/7 adding whatever new ideas he has for the product and "move fast" is causing the "and break things".
Twitter was actually remarkably and usually stable. Note the past tense, it became unstable now after months of Musk ownership. You know, after he demanded fast changes.
That's irrelevant. You don't kill a service like that without a public deprecation plan and a lot of communication. Both users and services that relied on it need time to migrate.
This is what normal enterprise facing business do, is really unacceptable that Twitter did that without notice, we normally go through a legal and communication process before we turn off the lights
I don't know about that. I've seen enough websites that have specifically removed social logins, so it appears that there is an awareness that the feature was "strings attached" kind of thing. And no, these are all tech oriented sites I've seen this on either.
Even as someone who likes unique logins with email and usernames, I just double checked my Github account and I've used that to log in to 6 sites. As I finally deactivated my Twitter account last week and didn't check... I'm 9)% I didn't use "Login with Twitter", but I can't say for sure. If some site would only provide Login via Google or Twitter I may have. Probably nothing important, and I will find out sooner or later if I need to recover.
I really feel for any developers who are impacted by this, as well as users who may not be able to get to some of their data.
Hopefully it's temporary, although with the Doge icon who knows...