Ask HN: You're building an app in 2016 – How would you let users login?

[somesaba]

1. Facebook Login (or other social logins)

2. Phone number with SMS code

3. Username/pass

4. Email/pass (Email will need to be verified)

Would like to hear people's opinions. Assuming the app doesn't absolutely need Facebook's social data, all the options seem viable with different pros/cons.

[jjoe]

I think we're back to email/pass as a preference. Because folks are so wary of apps requesting permission to their social accounts or people no longer using said social network. There's definitely social fatigue in the air.

[such_a_casual]

I would try to get away with the most minimal thing possible. Ideally I would do the same thing flash games have always done and create a cookie for the user.

If they need to login from a different place, I would put a simple 1 line form and button for emailing a link that would allow them to do that.

If it was necessary, I would give them the option to backup their account to an email address. This would just set the hash to something new so that the old cookie info no longer works, and they only have to click the reactivation email.

If this is an account where virtual goods are purchased (like Steam) and so there is actual value to the account, I would do email + phone backup. Phone backups aren't good enough on their own because people switch phone numbers. Emails aren't good enough on their own because people reuse login data all the time. This is the only case where I wouldn't store login data using cookies.

Forcing registrations and logins on the user really doesn't make sense 99% of the time.

[codeonfire]

In 2016 there are different levels of logged in: L1 - I think I know who you are because you have a cookie or I remember your IP or browser fingerprint L2 - I definitely know who you are because you logged in during this session and have a cookie L3 - I trust you enough to show you your user info over https since I just asked you to log in and you gave a password or verified you with facebook.

Obviously some bigger names are experimenting and trust their tracking enough to do away with authentication for some things. Personally, I have an anonymous mode on one site. It is "I don't know who you are but I remember you." They can use the site and then convert to a real user with facebook, google, or email/password.

[miguelrochefort]

I already have 1000 different accounts on 1000 different websites. I don't want yet another one. Can someone fix that?

Fuck emails. Fuck passwords. I don't want to deal with any of these things. What's the purposed of being logged-in anyways?

[such_a_casual]

It doesn't need to be fixed. It's just that everyone who creates content wants to play big brother. It's the person who's forcing you to create accounts, not the technology.

[somesaba]

This is an interesting thought. The point of logging in would be to save user state, but maybe users can opt-out of that for certain apps... hmm

[miguelrochefort]

There are better ways.

[chris_va]

I chose to do Facebook and email/password.

SMS costs a very tiny amount of money, and didn't offer any advantages (you can't get at the user's phone # on ios, so you cannot prefill, thus email had a similar level of friction from the user's perspective).

[pyvek]

I've seen some of the large websites in India offer OTP (one time password) login using SMS, which I personally have used many times. You enter your mobile no, get an OTP and login with that. Removes the hassle of remembering the password.

[danielhellier]

5. Email a login link to the users verified email address. No need for a password.

[jordansmith]

I have always felt like this method sounds good, but is just annoying to do. I want to login fast, usually with passwords that autofill from lastpass or similar app.

Maybe if the information on the site was sensitive it would be worth it, but this is too much for just any random app.

[siquick]

This sounds like the least user-friendly option available and a real obstruction, especially if using the application on a mobile device.

Plus the whole thing becomes unsecure if users start forwarding the email to others without thinking of the implications.

[kleer001]

> users start forwarding the email

What if the link is only good once? Problem solved.

[somesaba]

I was debating including that option :P

I've just never actually seen anyone else do it.For some reason, it feels 100x more complicated than checking my SMS app for an SMS code when in reality its not that different.

[brudgers]

What will users get out of logging in?

Which is to say that the first options would be simply for the app to work without anyone having to log in. That's practical for some apps, and of course not for others. The larger point is that just as a login mechanism might not be necessary, if it is necessary the choice of mechanism should make sense given the nature of the app...don't use Twitter for a self-help app for narcissism or Instagram for a seniors lifestyle app.

As for the alternatives, what good could possibly come out of storing name/email and password pairs?

[tmaly]

I built a mobile web app, and I started out with just Facebook and Twitter login. However, I have some friends who are privacy conscious and they do not have social media. They would prefer to have a email/pass login option.

So that that is next on my list to add to this current project.

[somesaba]

Would you say that's a small percent of your user base? Most of my friends hate the idea of needing to login via Facebook, but it is truly the simplest for them - and I'm not sure if my friends are just disproportionately biased. I'm also not sure if I want to depend on a third party.

[jordansmith]

Really it depends on the app, but for the most part I like to give options for 1, 3, and 4. Social login is linked to an actual account that can be used for 3/4 if they want.

[IshmaelF]

People really like email/pass, the more lazy ones use facebook and other social. SMS costs money and I don't see the advantage of it.