Allow usual mail+password login


(rugk) #1

Previously you used Persona, now you are using this Auth0 service. (Too sad you are moving away from your own free service to some strange third-party…)

Anyway, that’s not the topic here. As you can also see in Authentication issues, this new login experience is crappy. Maybe some users like this OAuth-like method. I don’t.
Apart from the insecurity of this passwordless “email login”, it is just cumbersome. Having a password manager you have two clicks to login to any site – except this one. Either you are forced to use OAuth, tusting a third-party and using a completely unrelated OAuth provider with it (Google, GitHub). Or, you use the mail login, where you have to wait and click on a mail everytime you just wanna login for a second…
For me everything else than a old, stupid password sign in is cumbersome and really annoying. And most people should use a password manager. If you don’t you are doing something wrong anyway…

Thanks to your transition away from Persona, your new auth mechanism, which I first tried with the mail login, which I thought would maybe prompt me for a password later and then using another auth mechanism, I now have three or more accounts here…
A usual password login as always would have prevented this and everything would have been fine… But no, you had to use this Auth0 thing…

And, BTW: You should never need a FAQ about how to login into a website! That must be easy… And a password login is easy.

In any case, at least, please (also) allow the usual password login. Auth0 is a downgrade and a horrible user experience for me, for some users it may be different, so you can keep offering it as one way to use this forum, but I still want my usual login method, where I don’t have to tinker with this Auth0 thing.


Thoughts on Mozilla using Closed-Source Software
Mozilla’s identity and access management (IAM) initiatives
Authentication issues
(rugk) #2

BTW: I sincerely hope at least moderators and admins have better (more secure) ways to sign up, i.e. passwords.


(Gerv) #3

While I wouldn’t use the same language as rugkx, I do think that the choice of “Tell Google or Github where you are logging in, or check your email every time you want to” is not a great set of choices to give people.


(Eric Shepherd) #4

I agree with that, to some extent. My frustration is having to check my mail every time I want to log in. That shouldn’t be necessary. It’s not a good solution, since checking your mail isn’t always practical when trying to log in. Plus it just feels… cheap. I dunno.

Aside from that, Discourse isn’t as bad as I thought it would be. I don’t love it, but I’m not mired in despair over it either. :slight_smile:

Sheppy


(Leo McArdle) #5

We know the passwordless experience isn’t great, but provide it as a backup in case users can’t (or don’t want to) use LDAP, GitHub or Google.

While Discourse does offer other authentication methods (like username/password) out of the box, our authentication is completely handled by the IAM project which doesn’t currently offer that as an option. It may in the future.

Since you have an @mozilla.com email, you can always log in with LDAP.

If you have any specific requests, let us know, or if you have any broader feedback, feel free to reach out to me with a private message.


(rugk) #6

Discourse is really nice and indeed it offers own authentication methods (just mail+password). So why not keep that? You can still offer your other ways as alternatives, but don’t force users to use “social logins” to login to other sites!
Mail login may be a fallback, but it is not the correct one: Mail+password is a proven way since years. It is secure and easy. No need to reinvent the wheel here. At least not with forcing users to use these “social logins” or similar stuff.


(Eric Shepherd) #7

Sure, but I still get asked to verify myself using a code sent to me by email sometimes, even when I use LDAP to log in.

Eric Shepherd

Senior Technical Writer, MDN

MDN: https://developer.mozilla.org/

Blog: https://www.bitstampede.com/


(Leo McArdle) #8

To be clear, you can only log in with LDAP by clicking this button:

Screenshot from 2017-09-19 10-55-41

And you’ll need to enter your LDAP password. It sounds like you’re sometimes entering your LDAP email into passwordless.


#9

I’ll chime in and say I also can’t believe you can’t access this site with a simple username and password. No wonder there are so few people using this site.

I encourage you to add simple username/password authentication, like the rest of the web is using.


(Peter Gervai) #10

I thought that this is some weird temporary hack until the real auth gets finished. I’m sure nobody in his sane mind considers checking email for a new login a real-life possibility to use. Right…? :worried:


(rugk) #11

BTW also the new NoScript does not like this Authy thing. :wink:

It complains about a potential XSS attack and I have to select “Allow” to make it work.