Another layed of meta-security I like to use for private apps is to use a service like ipapi.co to do an IP->geo lookup, and then have a per-used list of allowed geo regions (usually at the city level), like:
{
"[email protected]": ["New York"],
"[email protected]": ["Clowntown", "Buffoonville"],
...
}
Depending on your user-base, this effectively shuts out 99%+ of the Internet. This geo check is trivial to circumvent if somebody really wants to, but it's good for keeping out 99% of random hackers.
The other alternative is to support TOTP and let people use whatever authenticator they want.
Also, usernames are generally a bad idea. Just use email. If they need a handle let them set it separately on their account and keep it away from auth.
I am sick and tired of needing to conjure a unique 12-character password with 4 different keyset features in order to gain access to a coupon-clipping site, someone's blog about bundt cakes, or a forum discussing solar panels.
The exception is where loss of the credentials can do me real and meaningful financial harm. I have no problem managing unique, complex, and rotated passwords for these. I also expect 2FA for these at a minimum.
Everyone is doing this so terribly that I wish they'd all just farm it out. correct battery horse staple indeed. :)
I just want to Command-Shift-L to autofill my username/password and if it needs an OTP then press Command-V to populate that too. This works with Bitwarden, on many "boring" websites. Unfortunately, does not with these fancy "enter your email first, and THEN we slide out the textbox with a slow animation just to break your flow" BS.
And no, I do not want to connect my github / gmail / twitter / microsoft / whatever account with any webpages. I have a password manager, and I have separate passwords (and sometimes emails) for the different websites.
With a password manager it's all pretty straightforward.
I hate magic links. Way too many steps and have to wait for the email to transit the internet. It's as bad as a forgotten password, except it's every single time.
Magic links, as you have noticed, are not what people want. I walk away from those sites that use them, just give me oauth
Passkeys.
Depends on what you're building though. Enterprisey customers will often require SSO and Google OAuth tends to keep them happy enough.
I personally don't like opening another app to receive something that will help me login, especially since I pay for a password manager.
Kids are turning to services to do for them what has been a basic practice for decades.
Passwords are never going anywhere. Users are confused by passkeys, and they’re a terrible idea and terribly implemented anyway.
Edit: Learn how to use scrypt, learn how to execute `INSERT INTO users …`, and call a session library.