[mholt]

I'd actually rather you have my username and password, since I use a password manager and every password is long and unique. I don't want to tie my Google/Apple/<X-Mega-Corp> account to my Tailscale account. This way I can also more easily keep track of which accounts I have since my password manager stores them all. So I will wait for email signup (which currently just subscribes me to a mailing list...)!

[apenwarr]

It's easy to make a basic password login system, and very technical people use password managers, long passwords, etc. But there's a long "tail" (ha ha) of people who don't use long passwords, who will reuse their password on multiple web sites, who will forget their password and need to recover it using their mother's maiden name, etc. This opens up unlimited opportunity for phishing attacks.

And you don't get any key rotation unless you force people to change their passwords occasionally, which is itself now deprecated as a bad practice because people then start writing their passwords down on paper or storing them in a spreadsheet, which is even worse than no rotation. (Tailscale rotates your VPN keys automatically, but it's all for naught if the root key is just a password.)

We know that something better is needed for personal accounts, but please, not username+password. Your private network security is important. The world needs something much closer to foolproof.

[blueside]

> few very technical people use password managers, long passwords, etc

I'd be very surprised if this was true. Most all technical (competent) people I know use a pw manager of some sort

[apenwarr]

It originally said "a few", not "few", which was intended to have a slightly different meaning, but I've edited it to remove that because you're right and it's not important :)

Unfortunately non-technical people mostly don't use a password manager and we can't assume they do. Tailscale is about making the Internet secure by default, and passwords will never be secure by default.

[cube2222]

I know only myself and one other person using a password manager, even though I know a lot of technical folks.

[anderspitman]

Why not ditch passwords altogether and only do magic-link logins via email a la slack?

[bradfitz]

(also Tailscale)

FWIW, we'll probably also be supporting GitHub (and maybe Twitter?) auth, as well as perhaps letting you run your own auth server if you set up the right DNS records. Lot of things yet to do.

[dstaley]

Super excited to see that you'll be supporting GitHub! That being said, do you have plans to implement any sort of account merging? For example, the ability to login with one of multiple authorized accounts (so my Google Account, my Twitter account, or my GitHub account).

[apenwarr]

(Tailscale co-founder) This question goes through my mind a lot. I personally want it for myself. However there's a "weakest link" problem in identity management: if you have N identity managers merged together, then your account is only as secure as the weakest one of them. So connecting multiple identity providers to one account might be risky.

On the other hand, I really like Keybase's way of federating multiple identities together, where each additional identity provider increases rather than decreases confidence.

[philsnow]

There's more than just security concerns, when you allow a bunch of third-party accounts to access one of your first-party accounts.

If your highest concept of identity is the account and identity managers allow you to authenticate to that account, let's say you have a tailscale account with id 123, and any human who has access to john@personal.org or john.smith@job.com can access that account.

What do you do when John leaves job.com? Can John (accessing the account through john@personal.org) still admin the job.com bits?

I think the right abstraction is having first-party (in this case tailscale) accounts belonging to one or more "teams" and authenticating with a @job.com address allows you to switch to the job.com team in the UI / allows you to generate API creds that modify job.com's team.