The simple solution is to do email signup in my opinion.
I don't want to be beholden to oauth providers for my account. A lot of services that provide OAuth signup/signin do it in a way that locks you out of the account if you can't use the OAuth provider anymore.
I don't remember exactly what happened but I initially created my Spotify account with an email, but then I became linked to my Facebook account, so my Spotify data (profile pic, name...) were pulled from my Facebook account.
And for a few years I wasn't able to break this link, so I was stuck with my Facebook account, even though I wanted to get rid of it.
Then one day, I was able to transform back my Spotify account to an email one, and I deleted my Facebook account.
I had several exchanges with Spotify support which where basically useless.
Basically it was something like, because I used the same email address for both accounts, they automatically made the link.
Now I always use email login and I used + aliases, not only to avoid that mess but obviously better track data leak/sellers.
PSA: you can often "upgrade" to email/password auth on sites that support it by doing a normal "forgot password" flow with the same email address as your OAuth account.
Sometimes. It depends on how they bind your account. On the projects I’ve worked on, we’d always “upgrade” but I’ve seen plenty of sites that just create a new account. A behavior I find very annoying.
I have noticed a trend in many sites to reduce the number of social signin options down to maybe google (for android) and apple (for iOS) plus email / password. I suspect the “which signin method did I use” is one of the main reasons. That and clutter reduction.
By the way one of the big reasons a site might push you toward social signin is because those accounts are usually already verified. When you run through your own email / password flow you need to verify the email yourself (if that is important to your product). It’s an extra step that doesn’t need to happen when you click the magic google / apple button.
That is the beauty of password managers these days: I can manage a separate password for everything and it syncs to all my computers.
Plus by using a password manager I give the big players less ability to track me. (they still track me, but I'm not logged into them in the tab they are tracking which leaves some doubt for their algorithms)
If it is a business to business app, and your employer is paying for it, the employer typically want to use their own SAML or OIDC based login system.
It does depend on your user base too. If you are targeting devs, adding login with github is a good idea. For more mass market users, Facebook. If you are in China, you'd be fool not to offer login with WeChat. And so on.
I personally like having email as a backup option and always advocate making it available as a baseline.
> And which email provider are you using? You rely on them too, right?
Not really, as I use my own domain so can just move that between providers. Exactly because I also don't want to be beholden to a free mail provider either.
> Personally I'm a big fan of letting someone log in any which way they want.
Sure, if people do want to use oauth by all means the should. I just don't think the short term signup convenience outweighs the longer term stuff like:
- annoyances of remembering how you signed up, the initial context I replied to.
- Having a extra service mixed in
- The privacy implications of your oauth provider having a neat list of the services you use.
I don't want to be beholden to oauth providers for my account. A lot of services that provide OAuth signup/signin do it in a way that locks you out of the account if you can't use the OAuth provider anymore.