top | item 27819119

(no title)

psandor | 4 years ago

The example he uses isn't the best though. Unless your product is about identity or have other special circumstances, you should absolutely not implement your own login system. It's a lot more complicated than what the article suggest: security, _proper_ hashing, forgot your password, change password, change email, password strength, MFA, privacy, compliance, social logins are just a few things/flows coming to my mind that are standards today. Implementing these instead of focusing on the relevant features of the application is very rarely the right decision.

discuss

tbrownaw|4 years ago

Depending on what you're doing, user accounts seem like a rather fundamental thing to be transferring control of to some third party that could, I don't know, decide they only like green while you're orange.

psandor|4 years ago

Both options have risks, in 90% of the cases, the risk you pointed out is smaller then the risk from the lost opportunity cost (working on something not relevant for the service), insecure implementation, sub-optimal UI, etc.