Dan Moore
Appearances
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
So Adam, sorry, like I haven't used Tailscale myself personally. I've read about it, but like, is it when it, when you're logging with GitHub, it's prompting you for a bunch of different permissions. It's not just saying, Hey, I just want his email address.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
So honestly, I wouldn't blame GitHub for that. That's actually on tail scale because tail scale asks for permissions.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Yeah. Yeah. Tail scale. Come on, man. Come on. You don't need all that.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
So my feedback on that is... That is a GitHub thing, though.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Well, and so my guess is that there's, it's probably, you're right. It's probably a combination. Like I haven't delved deeply.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
It's like, yeah. How core screen does GitHub allow permissions to be asked for? And then what permissions is Tailscale asking for? And my guess is this happened, like, this is probably a little bit like the magic link experience that Jared was talking about, where started out and Tailscale asked for like very small amounts of data.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And then there was a use case and then they needed to ask for a little bit more. And there was another use case and they needed to ask for a little bit more. Right. And then they can't differentiate between whether you're doing the simple use case where all they need is the email and password or not your password, sorry, just your email or the complicated one.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
That's my guess on what happened based on kind of what I've seen over the years is best of intentions. But GitHub having coarse grain permissions makes it really tough to like ask for just what they need.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I would love if we would do that if everyone was using a password manager. And I think, you know, depending on your audience, that could be a viable path. And I, But for a lot of customer-facing organizations or applications, that's just not reality. My wife is a relatively smart person, has more degrees than I do, is not super technical, and gets super frustrated with her password manager.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And I have one that I've been using for years that I love that... is fantastic, but I would never wish it on anybody else because it's kind of, it's old school. Right. So really, uh, it's called a password safe. Um, March, not, uh, not, I think, uh, who's the Schneier guy, Bruce Schneier recommends it and, um, it's open source and just kind of super dumb, but, um,
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
It's not like integrated with any external systems because that's the other worry that I have with password managers like 1Password or LastPass we've seen is they are super valuable targets, right? Because they have everything. For sure.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I think you should always offer username and password as an option because I think you're going to have some subset of people who are going to be more comfortable with that. But I don't think that it should be the only solution.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I mean, here's the nice thing about a password, right? Like the strengths of the password and the weaknesses of the password are very similar. One is that it is something that can be shared really easily, right? And that can be shared with family or friends and it can also be shared you know, are discovered by an attacker.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I think you need to, as someone holding passwords, right, any of the systems, you need to make sure you take care of passwords. You need to make sure that you hash them appropriately. You make them hard enough to use for an attacker that you can avoid credential stuffing attacks. but easy enough for users to use. And I think the reason is that it's lowest common denominator, right?
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Like I have definitely liked Tailscale, Adam, but this was a different company that all they offered was social login. And that is... frustrating to a certain class of people, to a certain set of people who don't want to necessarily tie things to third party providers, or maybe they don't want you to know that their particular email, they want to use a username, right?
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
You can't use magic links with username based solutions. And for certain kind of sets of folks, right? Or even classes of applications like games are a perfect example. Games don't need to know your real identity. That's a dumb thing. So I don't think they're going away. I think that there are great solutions that you should offer.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And each solution you offer kind of increases your marginal kind of market size of people who are willing to kind of log in. And that includes what we talked about magic links. We talked about social login. I think we're going to talk a little bit about pass keys and it's an, it's a yes. And rather than a, you know, we're going to move entirely from this solution to that solution.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Oh, I can give you a list, right? Like, I mean, Key Cloak, Clerk, Zitadel, Ori. I mean, there's Propel Auth. There's a ton of these folks out there doing that. Totally.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
October about zero for six and a half billion dollars.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And like 20, it was like 20 X there. ARR.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Well, so I want to... Actually, I want to push... Back on that a little bit because, and this is one of our kind of unique selling propositions, which is the only reason I interrupt Adam, is that with FusionAuth, you're actually getting dedicated database and compute resources. So it's totally separate. It's not a multi-tenant solution inside there.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
It depends, but we can deploy to any of the AWS regions. And you can run it yourself too, right? So you can run it in your own data center. But the idea there is that if you escape a competitor who has a multi-tenant in SaaS, depending on their security posture, you may be able to access other users' systems, but you can't inside FusionAuth because it's separated. That's smart.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
It's a separate database. But I do want to talk... I mean, Adam was talking about the complexity of it. To me, it feels like the evolution, it's the same evolution as email, right? It used to be you were sending emails, you'd stand up like Postfix or I don't even remember those, you know, Sendmail.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And then Sendgood came along and other mail providers came along and email deliverability became a more complex issue. And so it became something that was outsourceable. And a lot of people have made a lot of money doing that. And a lot of apps have been built on top of it. And it's a trade-off, right?
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And if you are, you know, super bare bones and you're a Linux gearhead and you know how to set up send mail, you can still get by by doing that. But the vast majority of the world has changed and people have just acknowledged that, you It's not worth it. And I think auth is kind of undergoing that transition too.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Yeah, I mean, OTPs are a great solution for sure. I mean, they still share some of the issue with magic links, right? Like in terms of the deliverability, like timeframe and a little bit of discontinuity there, but... they definitely step around a lot of the other complexities, whether it's browser-based stuff or the link checkers or whatnot.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Yeah, thanks for having me back.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Yeah. I mean, there's definitely, there's a couple of kind of things to think about with pass keys. One is like how you set them up. First of all, kind of the registration process is a little bit weird and can kind of differ. And depending on the pass key, it might be tied to a physical device. It might be tied to an account. Yeah.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
you know if you're worried about people correlating things across like oauth or oidc you know the same thing is happening with past cases that are shared or if it's device specific then now you're kind of tied to the device and then kind of i think the user experience is uh for actually logging in is pretty good um it does you don't have as much control as a
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
the the thing that you're logging into the app you're logging into doesn't have as much control over like the the look and feel or the messaging or anything like that and that can be problematic too but the beautiful things about pass keys are they are locked down in two ways right they're locked down to the device or the system that holds the private key that is actually kind of generating the challenge and like solving the um basically
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I can walk through kind of how pass keys work if that'd be helpful. But anyway, there is a private key that is held someplace and that is what's used to kind of authenticate you. And they're also locked down to the domain, right? They're associated to a domain, which is really, really great too, because it removes all kinds of phishing problems, right?
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Like because you're trusting the computer to recognize the domain rather than the user looking at the UX or looking at the URL bar. And computers are much better at comparing, you know, character by character and making sure that things are all, all correct. So there's, there's two kinds of security benefits for pass keys for sure.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
It's a lot, okay? Sure, sure.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
So Adam, I'd love to probe that a little bit more because to me, you know, some of this just may be because growing pains of pass keys, right? Like usernames and passwords have been around for a long, long time. And even now there's still, you know, some wrinkles, like sometimes people will ask for your password.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
your username first right and that's so they can direct you to the right um identity provider if you're you know whatnot but like past keys it feels like it you know they were just codified in like 2019 right and so that is not new but it's still being kind of rolled out so you think some of us just can get shaken out in terms of like the right ux or
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I want to get what I came here for, right? Exactly. Exactly.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
i didn't want to say like i don't think it's just for security that's the that's not the only reason that that um new orgs are or that past kids are getting kind of pushed i think it's also a user like they've done studies that it just gets you into the app faster um there was something i'll share the length but this person referenced a microsoft study that said that the average time to log in went from
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
69 seconds with username and password slash MFA to eight seconds with pass keys. And so if you can get someone into Adobe quicker, especially someone who doesn't like, doesn't have your depth of experience, Adam, right. And like, doesn't really understand kind of the big thing and they just want to get to Adobe and you can, you know, decrease it by 10 X that's, that's a big win for everybody.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Right. So, um,
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I will say that I totally understand the user experience benefits of that. It scares the crap out of me, right? Because the whole point of MFA is that you have a separate... And my guess is 1Password kind of segregates that stuff inside their own system, right? So that an attacker coming in, getting access to the passwords would have a harder time getting access to the TOTPs.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Again, just to push on this a little bit, it doesn't worry you at all that like this thing that is supposed to be a separate factor is all wrapped up in one place.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Well, and obviously it depends on your account, right? Like there are probably accounts that you don't care about, right? Like, but let's say your bank account, like how, how much is that? Were you on a scale where 10 is like, I better go change this right now. My hair's on fire. And zero is like, eh, you know, I don't really, I trust everything's fine.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And I just want to say, and I just want to disclaimer, I don't know anything about 1Password, right? Like, I'm not, like, attacking them in general. It's, like, the general principle of, like... I think we should.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Yeah, I mean, I think that it does depend. I actually wrote a blog post about this, about the different kinds of MFA for customers. Again, employees are a different world because you can force them to do all kinds of stuff and you can spend money on it.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
There you go.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Totally, totally. But for customers, I think an important thing is that it is – going to at least a different piece of software, right? So, um, you know, using them in passwords being pulled from password manager and then using a different software authenticator app, like Google authenticator off the, um, There's some open source ones out there, even sending SMS.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I know SMS is problematic in some ways because it's attackable in certain circumstances for high value accounts, but it's still landing in a different place on the phone. Email address, one thing that I think I wish everybody who allowed email as MFA would do is have the multiple email addresses and have those email addresses not be tied to the email address you use to log in, right?
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Jared's not afraid. Too many letters.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
So I could set up, you know, Dan, if you're not, the IO is my login identifier, then Dan and example.com is my MFA. And, again, you're just separating things out and you're not, you know, every step you take to do this makes things just a little bit harder for attackers. Right.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And so that's the whole goal is, you know, it's not to, if there's a state level attacker out there, hi, anyone who's listening from a state level, you know, actor, like they can probably get access to my accounts because they have those resources, but I'm just trying to make it difficult enough that they kind of, um, that normal attackers move on.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I mean, I assume... SMS or email, right? Like anything that's deliverable is probably going to be outside of your app. You know, you could, there's always this, right? We talked about the tension around the friction around like login method and that same thing is true with MFA, right? And so there's always a tension between making things as easy for Adam to log in, right?
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
as possible um or adam to be honest with you like taking control of his own destiny and using tools out there like one password or orbit wardner etc so yeah so you definitely can help foster things by using deliverable methods that's really the only way you can force that and honestly
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I don't know if 1Password has this or anybody else has this, but it wouldn't surprise me if there was a Gmail plugin that would go and look in your Gmail and pull out the code that Adam could probably install as an extension to 1Password. And then he's just kind of circumvented that whole thing again.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
right so right um and he's the one by the way paying the bank right he's the bank's customer so you can't push them too far but you can i mean education is kind of the canonical example and you know answer this is like you say um you know we really suggest that you take these steps to secure your accounts.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And if someone wants to ignore all the pieces of advice and they're still paying you money, that's a really hard question to solve.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I mean, NIST actually recommend that they have the latest digital identity guidelines and they actually recommend that you don't enforce that complexity because it's frustrating to end users and they end up picking something that may not be that complex. complex, right? Like they'll just add like the one exclamation point at the end of a normal word or something like that.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And check the corpus, right? Like there's a bunch of corpuses of passwords out there and check that it's not in there. And other than that, I'd say, yeah, go crazy.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I'm torn. I want that world. I want that world. I'm not sure we're there because let's encrypt the big lever there was Chrome, right? And like the scary warning messages in the URL bar and things like that. And I don't know if we have... I mean, maybe you have that with the operating system vendors. So maybe that's the lever. But it feels like we're not there yet. But yeah, I would love a place.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I love a world. I mean, and honestly, this is... It's interesting to me because the more we talk about this conversation, like password managers and pass keys are both kind of two sides of the same coin or they're two approaches to the same problem that both believe that computers are better than people at keeping track of, you know, verifiers of identity.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And pass keys do it in a way that's a little bit more opaque and and not maybe as compatible, but is a little bit stronger because it's private public key encryption. Whereas password managers are more designed to fit in with the world we currently live in and have all these nice add-ons that you mentioned, Adam.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Yeah, so I've been for the last about... four years, I've been working for an auth provider called FusionAuth, and I've done a variety of roles there and spent a lot of time talking to customers about how to implement auth, a lot of educational content. And when I say auth, you know, it's authentication, authorization, and user management.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Not currently. I was until a couple years ago. Until a couple years ago.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
would also say like i think that you kind of hit or you alluded to one of the issues um with this even if it gets installed in apple in apple's um operating systems and it's installed in microsoft operating systems and installed in android like you still have some people who use an iphone and have to use a windows pc right and so you have this cross operating system solution that you know chrome
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Again, the big lever that moved Let's Encrypt, that was cross-platform and it had significant market share. Maybe there's some kind of consortium who could help with that. I don't know. Again, I'd love to live in that world.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
There are some other aspects of the authentication or user lifecycle that we don't really focus on, like identity verification or kind of workforce-oriented stuff. We're much more focused on customer identity access management. So that's my expertise.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Large installed base. What are you going to do? You wrote an app. You have an old app that you're not going to rewrite. Entrenched.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And that, you know, learned about OAuth and SAML and OIDC and JOTS, you know, basically alphabet soup in terms of jargon, but spent a lot of time decoding that and taking it, rewriting it or rewriting my understanding in such a way that developers would actually be able to apply it kind of in their day-to-day life.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Amazing call to action, Adam.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Oh, yeah, yeah.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Or I was just thinking about a CDL, right?
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
You have, you know, specified knowledge, right? And you have a higher expectation of a truck driver than you would have someone who drives a car. Yes. Yeah.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
This is my favorite conversation about authentication though. I'll be honest with you. I love the movie reference. That's, that's amazing.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
So that answer, like to kind of add on to the lukewarm take, your response to Adam is, I don't care about, I mean, we don't need a universal solution because we have one that is near universal for most of, for the current platform of the century, basically. Or at least decade, maybe not century.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Or frankly, like the employer might, you know, if they're an employer, there's going to be like.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Yeah. Right. Businesses like I know businesses that pay for one password and they're thrilled to pay for one password for all those reasons that you mentioned, Adam.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Yeah. And so this is a great question because I think this goes back to that spectrum you talked about a while ago. Right. And I think that, um, if you have one single app and you have relatively simple software needs, I think that like going with the framework that is the base of your app is the right solution. Right.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
So with rails, that'd be devise with, um, no JS, it might be like a passport or maybe like a, a service, like a Firebase, you know, because if you're kind of a single developer, you're just trying to get people into your app, right? And safe and secure. And a lot of these big services will take care of that.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Where I think it makes sense to kind of introduce something like Fusion Auth or Auth0 or any of those other kind of solutions we talked about is,
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
when it gets a little bit bigger, right, when you have more than one app or when you have, you know, there's that tradeoff between build and buy and you always are kind of writing that tension of like, well, yes, our engineers could do this, but should they? And at some point the answer is no, because they're better off writing features and
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
and not writing kind of undifferentiated login functionality. So does that make sense? I mean, I appreciate the question because I'd love to be able to say, like, here's an answer for everybody and everything, but I just don't think that's the truth.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Well, that even gets back to the way that people are offering to authenticate, right? Like, I think that, you know, as much as Adam hates GitHub login for Tailscale, I think that's a great example of- I don't actually mind it.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
But I mean, I think if you are writing an app that is targeted for like small, medium business users in Germany, you should use Zing, right? Which is like a German social business network, right? Or if you're writing something that is going to be deployed to China, you should use WeChat. Or if you're writing something that's going to be aimed at business users in the US, you should use LinkedIn.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And... I think you should always have username and password as the baseline. And I think that you should offer other solutions that are going to reduce friction that let people choose. Because at the end of the day, again, this is from the lens of customer identity access management. You don't really care how people get in, right?
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
You just want people to get in as quickly as possible so that you can get them to the value that they're actually hopefully going to pay you for.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I mean, I would love to... Actually, that would be a great thing to survey your listeners as well.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
That's right.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I mean, I think that there's probably a chunk of folks that... do want to just use username and password, right? They want to put it into one password. And there's probably a chunk of folks who'd be happy to use Google too, because they have one personal Google account that they kind of hang everything off of. So, yeah. that gets back to effort, right?
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And so like, how much effort would it take for you to add those additional login methods to ChangeLog? And if the effort, this is why you paid the big bucks, right? Like, cause we're just guessing on what features are needed for the future. We can do surveys and ask people and whatnot, but you don't know. But just in password is such a baseline that it's hard for me to imagine
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I mean, I, for my work, we use Google workspace and I prefer that, right? Because that way it's just, it's super tied. And I know that I will always have access to my Google account as long as I'm an employee and I can always, if I get, if I lose access to it somehow, um,
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
know google locks me out or something at least i have recourse to my it admins right um personal is a little bit different you hear horror stories about people losing access to google account and then losing access to like you know years of photos and memories and documents etc but um i loved for my professional accounts if it's tied to my company i love to hang it off my google account
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Every time you switch a machine, that should be the first thing you do when you set up a new machine, right, is log into changelog.com, and then you're good.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Yeah, so I'm on Blue Sky. It's moreds.com on Blue Sky. I'm on LinkedIn, Dan Moore. in Boulder is probably the easiest way to find me and fusion.io. And I really appreciated the conversation, appreciated the movie reference. Maybe I should go check out over the top.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
Enough time for people to be distracted. Right. And like, like move away, go back to hacker news or listening to the change log or whatever they're doing before. And then they forget why they, why was that on the site? Yeah.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
It's interesting because the bigger issue we've seen around magic links actually is corporate link checkers and expiring the links. And we've gone to some pretty extensive lengths to try to fix that problem.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
but it's it's kind of the same kind of thing right like you're doing something that's a little bit out of band and you don't have kind of control over that whole experience right whether it takes well for the email to be delivered or the emails being read by something else and expiring a one-time code or something like that so i actually hit that as well what do you guys do about that we require like a
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
So I think we do a JavaScript post of the, so you take, you're taking a page and then the JavaScript on the page executes in posts, which is what actually logs you in. So those link checkers aren't smart enough to do that yet. And so that kind of means that when the user clicks, they're opening a browser and that browser's
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
I mean, you could build in some kind of like slop factor, right? Like let it happen two times or three times. But it is, you know, the entry point into your application. And there's definitely some worries around that, right? Right. We definitely, ours is still one-time use for sure.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
But I mean, I think there's an interesting point in kind of what you were saying, Jared, is like you as the authentication system is kind of unique among users. like sometimes I think of an authentication system like a database or a queue or something else like that, where it's kind of part of an application and it's foundational, but it's undifferentiated.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And then at the same time, it is so user facing, right? So unlike your data, like you can swap out a database behind change log if you wanted to. It sounds like it wouldn't be very much fun, but you could do it. without ever affecting the user experience, whereas changing out your authentication system would definitely impact users.
The Changelog: Software Development, Open Source
Over the top auth strategies (Friends)
And because it's in the user flow, you really need to meet users where they are, right? Like you said, the first four or five times, you're like, hey, can you please use different software? And after a while, you're like, well, I really want you to log into my system. Therefore, I need to be the one to change, right? Like you need to adjust to where the users are coming from.