Hacker News new | past | comments | ask | show | jobs | submit login
Twitter has inexplicably turned off access to sign in with Twitter SSO (flipboard.social)
84 points by archb on April 4, 2023 | hide | past | favorite | 55 comments



Worrying about situations like this is exactly why I try to avoid SSO at almost all costs for personal stuff, and instead prefer to use a username/email and a unique password.

I really feel for any developers who are impacted by this, as well as users who may not be able to get to some of their data.

Hopefully it's temporary, although with the Doge icon who knows...


Avoiding SSO to keep access even if you loose access to bigCo email has been working well, but unfortunately more & more websites are moving away from password to instead verification code in the email.

Sure there are advantages to it, but if the email is bigCo, it effectively has the same drawbacks as SSO from same bigCo (i.e unfair account suspension, you're screwed)

With email+password, even if you lost access to let's say your Gmail, you can still login with that Gmail address and your password and go change the email in your account profile.


Yeah. I've moved most of my critical stuff off my GMail address onto a Google Workspace account, just sucks that not everything works with a Google Workspace account. I am just hoping that actually paying them money makes it a little less likely my account will get suspended.


Got bad news for you.


I also don't use the account for anything that could get a suspension. No public user content, not used for SSO, and I don't have anything programmatically accessing my account. I know there's still a non-zero chance of getting nuked, but my risk as near zero as it gets.


Banned for suspiciously avoiding the perks of the platform.


Banned for having a similar email to the one they intended to ban.


SSO idp would generally pass an email address through to the service, no? I could be mistaken about that, but if so, then you'd still have access to a password-recovery-by-email if the identity provider shuts down.


I've seen many systems that disallow the password reset flow when you sign in via SSO, since the expectation is that you as the service provider are not the authority for the user's identity.


Can confirm, happened to me just yesterday for ngrok.com/Login with Google.


I completely understand this, but for me this would be very difficult. I use mfa with 3 tokens (one I keep on my person, one by my home computer, and one in a safe place). If one were ever to be lost or damaged it would be a nightmare to have to go through every online account to replace it with a new token.


On a side note, I haven’t been able to login to Twitter for a long time. Every time I try with email, phone or username it prompts me that they can’t find user. When I search my own username without logging in it just shows up perfectly. The login has been broken for a long while now.. I hope they are tooling away and fixing it, but unsure


I have a working login on a single laptop. I can't login anywhere else since Twitter revoked the SMS 2FA option (I had real MFA setup years ago).

Oh well, twas fun while it lasted.


I was happy seeing this news headline, as Twitter stopped accepting my TOTP after I successfully changed my password in December. I haven’t been able to log in since then, Authenticator step failing. Alas, it seems as if I missed the window; 2FA is now back being required.


I assume this was unintentional and occurred because no one who's still there knows how these systems work.


Twitter seems to be broken on Chrome too - at least for some users. I logged out & now cannot log in. Firefox works, but just super frustrating.


For anybody where this is a thing, copy the "auth_token" cookie from FF to Chrome. I also copied the "twid" cookie for extra measure (seemed relevant) - but I'm not sure if it's necessary.


Does it have anything to do with Post.news going live, given that Post uses Sign in with Twitter as one of their login options?


"Turned off", or "the last person maintaining it quit and now nobody knows how to fix it"?


Yeah, I'd bet this is the case. They just don't have anything to gain by turning it off. Do they?


Well, it is strictly speaking an API, and we all know how Saint Car feels about APIs...

(I would not be surprised if it was literally this, some sort of absurdist "no exceptions" aspect to the API-killing diktat.)


Could be some really awful ploy to get more people to pay for Twitter Blue.


Am half expecting some serious security related bug has been found in their SSO, thus them turning it off without warning until it's resolved. But, who knows...


To expect that, you would have to assume a level of responsibility to end users that I find highly unlikely at Twitter right now.


What the heck, someone flagged this?


I’m mostly impressed how shite the ”webscale” codebase is, if everything bursts to flame the moment the programmers stop babying it. Considering how many man-hours they’ve poured into the product, you’d think it would be somewhat bug free


Come back in a few years, when you’ve written software at this scale and at this velocity. I’m interested to hear what the experience has to teach you, and to see how you grow as an engineer beyond this kind of uninformed nonsense.


I'm not the one you're replying to, but I've worked on software, for far more critical infrastructure than Twitter, that has run unchanged for over 3 decades.

You only hear about the failures. You don't hear about the systems that keep on working.

and to see how you grow as an engineer beyond this kind of uninformed nonsense.

In other words, "grow as an engineer" means "parroting the lies that keep you employed"? As the saying goes, "it is difficult to get a man to understand something, when his salary depends on his not understanding it". And that explains the sad state of most "modern" software.


The comment specifically asked for advice on software that changed with the same velocity. It’s the rolling out changes part that adds the interesting risk.


> that has run unchanged

Exactly. Software that changes as frequently as something like a Twitter (or anything of that ilk) never has the chance to reach that kind of stability. Your thirty-year system wouldn’t have the track record it does under the same set of conditions.

> In other words, "grow as an engineer" means "parroting the lies that keep you employed"?

I’m not sure what kind of leap you’re making, but it seems breathtaking.

In any case, you’ve clearly had the privilege of working on software under vastly different constraints and timeframes. That sounds fun, and interesting, but it’s comparing apples to oranges.


As a response to all the sibling comments, what need is there for Twitter to change every 3 days!?


“Need” is a strong word. I guess it doesn’t need to change. But new features == new opportunities to make money, if nothing else.


”There’s a bug, so we should rewrite the entire thing”


Seems a lot more straightforward than running software that changes every 3 days.


> ... has run unchanged for over 3 decades.

That's a good point.

For the software you worked on, is there some kind of public case story or similar that people can be pointed at to learn more?


I wouldn't exactly characterize this as "the moment" that it stops being babied. Twitter agreed to the sale a year ago, and the sale was completed last October, about 5 months ago. Plenty of time to accidentally break a dependency somewhere, even if they're not actively developing or maintaining it.


Do you have any tips for making software that is bugfree and can run indefinitely without support?


I read on HN that "no code is best code" !


Or it could be the fact that Elon is trying to have his employees work 24/7 adding whatever new ideas he has for the product and "move fast" is causing the "and break things".


Twitter was actually remarkably and usually stable. Note the past tense, it became unstable now after months of Musk ownership. You know, after he demanded fast changes.


It could be a ruse for folks to get rehired.


There is some sort of worry at certain large companies over specialized phishing/ransomware, I have heard; whether this is related, I don't know...


What is this doing to Medium? At least when I used it, it was deeply tied to Twitter.


Wow only $50 billion of someone else's money to kill twitter. A total bargain for humanity.


Maybe because very few people have even heard of this, much less used it?


That's irrelevant. You don't kill a service like that without a public deprecation plan and a lot of communication. Both users and services that relied on it need time to migrate.


This is what normal enterprise facing business do, is really unacceptable that Twitter did that without notice, we normally go through a legal and communication process before we turn off the lights


I don't know about that. I've seen enough websites that have specifically removed social logins, so it appears that there is an awareness that the feature was "strings attached" kind of thing. And no, these are all tech oriented sites I've seen this on either.


[flagged]


Yes, a bunch of times. It's on the advent of code website for example, which is pretty popular.


Even as someone who likes unique logins with email and usernames, I just double checked my Github account and I've used that to log in to 6 sites. As I finally deactivated my Twitter account last week and didn't check... I'm 9)% I didn't use "Login with Twitter", but I can't say for sure. If some site would only provide Login via Google or Twitter I may have. Probably nothing important, and I will find out sooner or later if I need to recover.


Yes, there are a lot of Japanese sites that use it.


My gawker account used it.


I guarantee there are at least thousands of people who rely on this. That's a lot of people's lives.


Yes. It was a DIY repair website and a few months later they gave it up. Can't remember the name.

ifixit had sso via yahoo et al as well and one day it just broke.


At Twitter's scale "very few" means "a couple million"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: