Allow usual mail+password login

(rugk) #1

Previously you used Persona, now you are using this Auth0 service. (Too sad you are moving away from your own free service to some strange third-party…)

Anyway, that’s not the topic here. As you can also see in Authentication issues, this new login experience is crappy. Maybe some users like this OAuth-like method. I don’t.
Apart from the insecurity of this passwordless “email login”, it is just cumbersome. Having a password manager you have two clicks to login to any site – except this one. Either you are forced to use OAuth, tusting a third-party and using a completely unrelated OAuth provider with it (Google, GitHub). Or, you use the mail login, where you have to wait and click on a mail everytime you just wanna login for a second…
For me everything else than a old, stupid password sign in is cumbersome and really annoying. And most people should use a password manager. If you don’t you are doing something wrong anyway…

Thanks to your transition away from Persona, your new auth mechanism, which I first tried with the mail login, which I thought would maybe prompt me for a password later and then using another auth mechanism, I now have three or more accounts here…
A usual password login as always would have prevented this and everything would have been fine… But no, you had to use this Auth0 thing…

And, BTW: You should never need a FAQ about how to login into a website! That must be easy… And a password login is easy.

In any case, at least, please (also) allow the usual password login. Auth0 is a downgrade and a horrible user experience for me, for some users it may be different, so you can keep offering it as one way to use this forum, but I still want my usual login method, where I don’t have to tinker with this Auth0 thing.

2 Likes
Auth0 creates new account when GitHub mail changes
Thoughts on Mozilla using Closed-Source Software
Auth0 creates new account when GitHub mail changes
Mozilla’s identity and access management (IAM) initiatives
Authentication issues
Mozilla’s identity and access management (IAM) initiatives
(rugk) #2

BTW: I sincerely hope at least moderators and admins have better (more secure) ways to sign up, i.e. passwords.

(Gerv) #3

While I wouldn’t use the same language as rugkx, I do think that the choice of “Tell Google or Github where you are logging in, or check your email every time you want to” is not a great set of choices to give people.

5 Likes
(Eric Shepherd) #4

I agree with that, to some extent. My frustration is having to check my mail every time I want to log in. That shouldn’t be necessary. It’s not a good solution, since checking your mail isn’t always practical when trying to log in. Plus it just feels… cheap. I dunno.

Aside from that, Discourse isn’t as bad as I thought it would be. I don’t love it, but I’m not mired in despair over it either. :slight_smile:

Sheppy

2 Likes
(Leo McArdle) #5

We know the passwordless experience isn’t great, but provide it as a backup in case users can’t (or don’t want to) use LDAP, GitHub or Google.

While Discourse does offer other authentication methods (like username/password) out of the box, our authentication is completely handled by the IAM project which doesn’t currently offer that as an option. It may in the future.

Since you have an @mozilla.com email, you can always log in with LDAP.

If you have any specific requests, let us know, or if you have any broader feedback, feel free to reach out to me with a private message.

(rugk) #6

Discourse is really nice and indeed it offers own authentication methods (just mail+password). So why not keep that? You can still offer your other ways as alternatives, but don’t force users to use “social logins” to login to other sites!
Mail login may be a fallback, but it is not the correct one: Mail+password is a proven way since years. It is secure and easy. No need to reinvent the wheel here. At least not with forcing users to use these “social logins” or similar stuff.

1 Like
(Eric Shepherd) #7

Sure, but I still get asked to verify myself using a code sent to me by email sometimes, even when I use LDAP to log in.

Eric Shepherd

Senior Technical Writer, MDN

MDN: https://developer.mozilla.org/

Blog: https://www.bitstampede.com/

(Leo McArdle) #8

To be clear, you can only log in with LDAP by clicking this button:

Screenshot from 2017-09-19 10-55-41

And you’ll need to enter your LDAP password. It sounds like you’re sometimes entering your LDAP email into passwordless.

#9

I’ll chime in and say I also can’t believe you can’t access this site with a simple username and password. No wonder there are so few people using this site.

I encourage you to add simple username/password authentication, like the rest of the web is using.

2 Likes
(Peter Gervai) #10

I thought that this is some weird temporary hack until the real auth gets finished. I’m sure nobody in his sane mind considers checking email for a new login a real-life possibility to use. Right…? :worried:

1 Like
(rugk) #11

BTW also the new NoScript does not like this Authy thing. :wink:

It complains about a potential XSS attack and I have to select “Allow” to make it work.

(rugk) #12

BTW, remember: Discourse has nothing to do with this Auth0. Actually, by default Discourse has a usual mail+password login.
The decicion to use Auth0 and to drop any “usual” login method is purely driven by Mozilla.

I totally like Discourse. I totally dislike Auth0 in the way it is currently done.

(Especially, but not only, because it now started deleting my accounts or preventing me to access them)

What on earth? Why is it so impossible to register for this forum?
(rugk) #13

BTW it’s funny to see how many users are actually having issues with this login. The whole iam category basically consists of nothing else than users constantly complaining login is too hard, very simple things like changing a notification mail are nearly impossible and plus-addresses do not exist in the world Auth0 imagines… I could go on here for an hour or so.

Seriously this Auth0 thing just complicates matters and especially for something security-sensitive as this, this is not a good idea in any way…

(Leo McArdle) closed #14
(Leo McArdle) #15

@rugkx please stop bumping old topics across the forum relating to our migration to Auth0. You’ve expressed your complaints and we’ve explained why Auth0 is better.