Research authentication options for web2 login experience

Question

Research authentication options for web2 login experience

ryanchristo opened this issue 10 months ago · comments

Ryan Christoffersen commented 10 months ago

Is your feature request related to a problem? Please describe.

Research authentication options for web2 login experience given the following requirements and questions.

Requirements:

email and password login
social login options
multi-factor authentication options

Qestions:

What is the opt-out story? i.e. export, self-custody, etc.
#2074
What is the cost of scaling users? How much do we pay per user with X users?

Describe the solution you'd like

An authentication service that meets the above requirements and scales without unnecessary costs.

Describe alternatives you've considered (optional)

TBD

Additional context (optional)

TBD

For Admin Use

Not duplicate issue
Appropriate labels and zenhub epics applied
Appropriate contributors tagged

Ryan Christoffersen · Answer 1 · Wed Sep 06 2023 01:07:42 GMT+0800 (China Standard Time)

Hey team! Please add your planning poker estimate with Zenhub @ryanchristo @blushi @flagrede @wgwz

Kyle Lawlor-Bagcal · Answer 2 · Wed Sep 06 2023 03:26:37 GMT+0800 (China Standard Time)

Not to sound like a broken record but I believe we shouldn't be closed off "to rolling our own" as well.
The current auth system utilizes passportjs which by design is meant to function with many different auth providers.
For example:

Google: https://www.passportjs.org/packages/passport-google-oauth20/
Twitter: https://www.passportjs.org/packages/passport-twitter/
Facebook: https://www.passportjs.org/packages/passport-facebook/
Linkedin: https://www.passportjs.org/packages/passport-linkedin-oauth2/
Magic links: https://www.passportjs.org/packages/passport-magic-login/
TOTP (mfa): https://www.passportjs.org/packages/passport-totp/

Aaron Craelius · Answer 3 · Wed Sep 06 2023 20:50:31 GMT+0800 (China Standard Time)

What about MFA @wgwz ? With text yubikey or authenticator app? Update: Looks like you posted one solution but how well will it work?

Ryan Christoffersen · Answer 4 · Wed Sep 20 2023 05:13:33 GMT+0800 (China Standard Time)

I'm going to close this out as completed. We are now moving forward with a custom setup that leverages passport.

Artifacts from our comparison of authentication services:

An initial set of follow up issue have been created for next steps: