We removed "Sign in with Facebook" from our public learning management system (we provide content to the public) instead of continuing to jump through their insane requests and demands.
OAuth in general feels like an increasingly bad idea. Log into everything with Google? Oops, one arbitrary account lock from Google and you're beyond fucked.
I agree. And besides that I also think it's an incredibly bad idea to
train users, who are technically not very firm, to enter their
credentials on some random page that asks for it.
I'm a pro and even I can't tell how this is supposed to be safe. How
would you explain the security aspects to someone who can't distinguish
between google-search and the browsers address-bar?!
It's bad enough that loads upon loads of sites require people to use their E-mail address as a user ID. What a stupid policy, one that embarrasses many companies that should know better (YES, THIS MEANS APPLE).
When you force people to log in with their E-mail address, what percentage of the public also thinks they need to use their E-mail password? I'm going to guess at least half. Now, if that site is compromised by a hack or disgruntled employee or whatever, people's E-mail accounts are wide open and identity theft galore can ensue.
Not to mention that your E-mail address is on thousands of spammers' lists. Combine that list with lists of common passwords, and you have a shitload of compromised E-mail accounts right there.
Nobody should have tolerated this amateur-hour policy, but here we are.
This is why you have to have a backup plan for your data and your business when you depend on cloud services. One day there is a very high probability some automated bot of theirs is going to flag you and take you down mercilessly, despite your best efforts. You have to be ready.
I agree with the fact that storing your identity on a service like Google isn't necessarily the best idea, but as a developer I DON'T want to be dealing with passwords and account lock outs. OAuth is great in that regard.
So very much this. The reason we're using OAuth in the first place is that we're leaving authentication to the big companies that know how to do it well.
The sheer amount of support work that resetting passwords and fixing access issues (and dealing with hostile actions) generates for a small team is staggering.
It was a ticket we had for a long time to remove it, in fact we had been no longer giving it as an option for account creation for a few years. It just was going to be a week of work and we wanted to avoid it if we could.
