Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to outsource password and account management to a third party?

Tags:

security

authentication

oauth

openid

I read that storing passwords yourself, handling lost passwords and accounts etc, is a complicated process, and involves a lot of work if you don't want to take security risks.

I am building a website for which security is very important. I thought it would be good to start with not trying to handle that myself, but outsource it to an external service.

What I am looking for is something a bit like "Log in with Facebook", or "Log in with Google", except that :

  • I can't use those websites nor Twitter because in themselves I will propose later on to users to link their accounts on those services, so it can be confusing if I also use them for password and account management. (For example, someone coming to the site to link to Twitter wouldn't understand if I ask them to login with Facebook)
  • I'd like to enable users to easily have an account just for my website. If using their Google account, it is used on other websites as well (at least for Gmail for example). What I would like is for users to be able to create an account just for my website.

Any idea of a service provider for this ?

Thanks in advance !

like image 897
Vic Seedoubleyew Avatar asked May 31 '14 07:05

Vic Seedoubleyew

People also ask

What is a third party login?

Third-party login is an authentication alternative used by several websites that allow you to access from an existing social media profile account on Google, LinkedIn, or Facebook without having to define a new username and password.

What is a service account?

A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Typically, service accounts are used in scenarios such as: Running workloads on virtual machines (VMs).

3 Answers

For example:

  • parse.com
  • stormpath.com
  • auth0.com
like image 105
Takahiko Kawasaki Avatar answered Oct 12 '22 12:10

Takahiko Kawasaki

I just wanted to give you a heads up that Stormpath now includes user interfaces in two ways:

  1. Our ID Site feature which is basically hosted login screens you can use with any app (or even centralize login across multiple apps).
  2. Views and default screens built into framework-specific sample apps:
    • Stormpath-Express
    • Stormpath-Passport-Express
    • Stormpath-Flask

We're working to get screens into all of our sample apps, so let us know if you're looking for something in particular. We can probably get you some code to get started. [email protected]

like image 30
Chunsaker Avatar answered Oct 12 '22 12:10

Chunsaker

If it's helpful for anyone else, I compared (5/18/2015):

  • Auth0
  • AuthRocket
  • UserApp
  • DailyCred

Conclusion for me was Auth0, because while all the features are very similar, it felt the most legitimate, as in it's not a start-up that might disappear in a few months. Now, the reason that was super important for me was because login is a foundational requirement, so I need to believe as a customer that the Authentication as a Service will be up for as long as I will be.

Here's the full comparison story: https://medium.com/@bsemaj/authentication-as-a-service-comparison-5-quick-lessons-for-b2b-businesses-e7587275824c

like image 2
james Avatar answered Oct 12 '22 11:10

james
Sign in to Comment

Related questions

Tomcat secured static content
Is it possible to resign a signed .net dll with a different key pair?
Understanding 3rd party iframes security?
Does this mean my university is storing passwords insecurely?
How to throttle login attempts - PHP & MySQL & CodeIgniter
How to verify an XML signature in an iOS application?
A list of professionally-useful and safe file types?
What is the recommended approach for encrypting/decrypting large text data in MySQL?
Is it safe to identify OpenID users by email address if the provider is trusted?
How does Timestamp helps in preventing Replay Attacks in webservices
Should I authenticate a user's password for every server request?
Javascript Security: is storing sensitive data in a self invoking function more secure than cookies?
How to secure Redis Cluster?
How to automatically login as a user using Spring Security without knowing their password?
After upgrading to GHC7, all programs suddenly fail saying "Most RTS options are disabled. Link with -rtsopts to enable them."
Hash to create unique URL so that it is difficul to guess valid URLs in lieu of authentication
Develop programs for Arm trust zone
Can I improve the security of MD5 hashed passwords by salting the existing MD5 hash and hash the result using Scrypt or PBKDF2 HMACSHA256?
Form Authentication - Cookie replay attack - protection
How to restrict DOS attack with Web API

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!