How hard is it to implement email verification?

Harder, actually.

That's the point of OAuth, which is what you're seeing there.

The idea is that you're you and you have a... google account. This shitty little website doesn't want to be responsible for you login details, because those can get stolen. Maybe they contain an email address, which is a problem. Software needs to be updated, it's all a big. They don't want to touch anything in terms of security that identifies you as you.

Maybe all the website does is save your favorite pepe memes. They don't need anything else from you, but they still need to have something to get a user id and make sure nobody messes with your pepe meme collection. That's where this system comes in, because the rest of website becomes significantly easier. They don't need to store anything personally identifying, all they get is an ID and they can connect it with your pepes.

The only downside to OAuth is, as you can also see, that it's corpos you don't want to trust that are offering it.

It reminds of this:

There were more options on the website, but I forgot the name of the website, and I cannot find it now... :(

If I don’t have the option to use email or continue as guest I refuse to use whatever the site or app is.

Datamining.

Yes, I prefer an Email/password, too, so to depend less on third-parties, and keep it more transparent.

Yet, OAuth/OpenID is significantly easier legally and financially than Email processing (even via outsourced services as MailChimp) and store someone's personal information as Email address in databases, if compared to a social account ID, in long term.

Not only that, but OAuth providers have APIs to get sufficient User information, and regularly actualize, including: Name, Email (yet, by requested/allowed scope only), activity on that social network as posts/channels/followers count etc., which may be a requirement for their Staff/algorithms to determine the priorities for transactions/support and/or security involved.

How hard is it to implement email verification?

Securely? Very fucking difficult.

How is it login with YouTube and login with Google two different things. It's the same login.

What website is this?

If you log in with social media, they get more than your email address. Data mining.

If i cant log in with an independent email then I'm not logging in.

I had the same problem yesterday as I was investigating tailscale. And while I get it for that service, there's no reason for some of the other services that ask me to link my other accounts to them as a means of logging in.

No. I will not consolidate my log-in profiles under companies that dont see me as a person, care about my privacy, and are working with hostile governments to track me.

Semi-Anonymous or nothing. Period.

I can see how they got there from the implementation side. There's a library they used for their site, maybe a CMS, where all those choices are just a click away. But for email they have to get their hands on an SMTP server. And that takes non-zero effort.

I feel conflicted. OAuth gets a lot correct in so far as most sites don't have to deal with a lot of difficult auth bits, but also I don't like having to rely on big (usually social media) companies to be the auth source.

I think about dnssec a lot.

It feels to me like there should be some form of public key infrastructure where there is a global root key (or short list of) then providers that can issue certificates out to other smaller organizations or individuals who could then use that source of trust to prove who they are. Imagine OAuth but you could just fill in your provider of choice (self hosted?) and if the certs checked out everything would verify correctly.

That being said who does the bits around ensuring that you are who you say you are. I suppose a government body running such a system could work though I sweat at the idea of going to the dmv to reset a forgotten password or report a stolen identity.

Idk maybe if I think about this enough I can come up with a cryptography secure system...

I've always hated that shit. Why would I want to add dependencies to my fucking logins?

What is VK?

I dislike sites like this, I usually click away or just don't sign up

Whatever site that is, I dont need to be there.

Oauth should become federated, just as email.

Then the browser should generate the buttons based on which oauth services you actually use.

Guess I’m not logging in

Can I login with Pornhub?

Because for the vast majority of people yet another password, or even yet another 2FA code is an anti-feature.

Collecting as much data they possibly can to increase the value of the data. Bottom line: more info=more money

VK? The Russian porn site?

Money.

Also it kinda depend on how much you trust the website security and how much precaution you have. For general public who don't really know how to protect themselves against hacking and databreach(those who might not know the existence of password manager), the option of letting a giant corpos handle the login is much better than to just blindly trust the website.

Also money.

Also the website might not want to build and maintain their own database for this(which cost money), so they outsource the login to other company.

And also money.

That's like every freaking store offering me a "points" plan. All this shit is getting out of hand already.

I want to login with my butthole print. Did you know that no butthole is the same?

Problem is with general cleanliness. Like the Japanese with their bidet's, they wouldn't have a problem signing in because the print is always a clean print.

There's also hemorrhoids and other temporary deformations of the butthole that take some time to repair. I mean with hemorrhoids you'll be waiting there for a week. But what if you just had a big poop. Well, it might help deter criminals trying to ping the machine too quickly.

Because we are employed developers and this is what the bosses wanted. There are lots of things I made that make me facepalm or I think is stupid but im a peon and my only other option is to find a different job. Where there will also be dumb shit I have to code for a paycheck.

No login with GitHub or X? Tsk tsk

#feudalism

A SAML token verification can be implemented correctly in under 50 lines of code. (Without needing anything beyond a basic crypto library for decryption and signature checks ) then you just have a SAML identity to user account mapping table (so that they can have multiple SAML providers and retain access or switch between different accounts).

But yeah, some shady sites use it to get your name and other information. (Which SAML providers should properly inform you about, as they are the ones packing that data based on what the receiving has registered)

Right? It's demented!

Cos fuck you, that's why.

The apple one is enforced by apple if you want to go on the app store. The rest follows. Personally I blame apple for starting this bullshit.

not 100% related but i think login should be less user friendly

"here take this 512 byte hash and store it and it's you and if you lose it or have it stolen i couldn't care less"

email verification is hard to do right (as said in top reply), oauth is annoying to get set up but more secure and all big providers have fancy recovery and login methods

no oauth? get the hash or go away

Wtf is the difference between login with google and login with YouTube?

I guess the silver lining is ya can get 7 months of any "1 month free" subscription without having to create a new account.

Can I log in via dick cage?

Because data collection. Trade simplicity for data collection.