Personally I refuse to signup just to check out something I'm only passively interested in, and I will never understand why startups do this. I imagine they're immediately turning away >80% of potential customers vs. just letting people try out the damn product
Any product that allows you to consume lots of resources including API calls, interact with other users, or share anything basically needs to be authenticated to avoid misuse. This covers virtually everything.
Sign in with google/apple can be virtually painless and only lets them know your email address, name, and profile pic if oauth is configured reasonably and its easy to tell on your side if its not because it asks for the additional permissions. You can also sign up with email without making the person go through a lot of malarky. Simply send them a sign in link instead of doing the whole normal dance. Click it and continue on.
If need be they can be prompted to fill out additional data if features require it.
Yea but if I haven't even seen the product yet, I'm not going to bother and give away my email + personal info.
I understand sometimes you need auth, but the app could just show the live app and then pop up a signup modal when the user tries to do something that requires auth (that's what I do on my apps)
It’s not the only way to prevent misuse for example: captcha’s, rate-limiting etc…
I bet they implemented the login anticipating misuse… and like all other startups, there’s only a tiny chance the product would be misused, but a large chance that many people won’t use it due to the login wall.
Effective captchas a much worse than logon with google or send a login link to email. Rate limiting might prevent the system falling over or spending all your money but it does near nothing for vandalism.
Rate limiting is like handing your football players packs of condoms instead of cups. It might be necessary but it sure as hell isn't sufficient.
I would suggest that if your app requires interaction with others you provide them with a test experience where they can read live data but not effect others. Gate functionality that might be misused with a request for an oauth2 login or email which you can send a login link to. Near zero commitment don't have to share anything beyond your email and name don't even have to make up yet another password. A few clicks and you are done.
You can provide almost as good an experience as you want without people getting their lols or their dollars off your other users.
i doubt 80% figure. Email is constant source of abuse and requires additional infrastructure so more and more indie products are sticking to social logins only.
I prefer the split approach. I use SSO on the inside of my home network and for hyperscalers and things like Tailscale. At least partly so I could enforce hardware auth when not supported or sane to implement natively.
Good for you. Keep your SSO login. Nobody's asking for it to be removed. But, your SSO login isn't going to be affected if email login is added, would it?
It is a privacy leak to tell Github about what other websites or products you are using, that you otherwise wouldn't if you just used normal email/password signup.
GDPR only has a tangental relation to privacy. It might be "GDPR compliant" for me to publish my nudes to twitter, but I've still (voluntarily) lost some privacy for doing so.