Hacker News new | ask | show | jobs
by michaelmrose 1023 days ago
Any product that allows you to consume lots of resources including API calls, interact with other users, or share anything basically needs to be authenticated to avoid misuse. This covers virtually everything.

Sign in with google/apple can be virtually painless and only lets them know your email address, name, and profile pic if oauth is configured reasonably and its easy to tell on your side if its not because it asks for the additional permissions. You can also sign up with email without making the person go through a lot of malarky. Simply send them a sign in link instead of doing the whole normal dance. Click it and continue on.

If need be they can be prompted to fill out additional data if features require it.
3 comments
JSavageOne 1023 days ago
Yea but if I haven't even seen the product yet, I'm not going to bother and give away my email + personal info.

I understand sometimes you need auth, but the app could just show the live app and then pop up a signup modal when the user tries to do something that requires auth (that's what I do on my apps)

link
gitgud 1023 days ago
It’s not the only way to prevent misuse for example: captcha’s, rate-limiting etc…

I bet they implemented the login anticipating misuse… and like all other startups, there’s only a tiny chance the product would be misused, but a large chance that many people won’t use it due to the login wall.

link
michaelmrose 1023 days ago
Effective captchas a much worse than logon with google or send a login link to email. Rate limiting might prevent the system falling over or spending all your money but it does near nothing for vandalism.

Rate limiting is like handing your football players packs of condoms instead of cups. It might be necessary but it sure as hell isn't sufficient.

I would suggest that if your app requires interaction with others you provide them with a test experience where they can read live data but not effect others. Gate functionality that might be misused with a request for an oauth2 login or email which you can send a login link to. Near zero commitment don't have to share anything beyond your email and name don't even have to make up yet another password. A few clicks and you are done.

You can provide almost as good an experience as you want without people getting their lols or their dollars off your other users.

link
Gnarl 1021 days ago
I really don't want google/apple knowing anything of what I do online, hard as that is, but I'm not going to help them snoop on me.
link