regardless of the languages in play what would YOU say are “best practices” for
some places do the sign up with your info then email you a link to finalize the sign up (so we know the email has to be valid)
some places do that for initial sign up and then to log in send a SMS or email to with code to login
do those still make sense ?
Anything else that a person should consider ?
Passkeys. Definitely passkeys. They would be better if vendors didn’t try to lock them down, but bitwarden and other managers also support passkeys.
Using a 3rd party to authenticate the user is also a good idea, as long as you provide a way for them to change that provider, or have multiple providers in case one is inaccessible.
That also simplifies registration because the new user doesn’t have to fill out a form, they only need authorize your access to the data you need.
I’m using a form to collect the sign up data; name, email, password. Then second (next) screen is a verification code text box to enter the 6 digit code to verify email address (sent automatically via email - text only no link). Once entered the user’s email is verified.
Will have to ponder this one and how I might be able to do this
Client hasn’t selected which toolchain they want to use and OpenID has some integrations but not all they’re pondering
Many providers have no pricing or the ones I have seen were … OMG !
2 - 5 per user
One literally said “starting at 44000 per year”
Descope at its free level might work
Any thoughts on their service ?
This is along the lines I was thinking
We’ll have this for both external users and internal ones (like sales & marketing etc)
I am sending a generated code via mail which has to be used with the password, the username(Mail Adress) and the code for firsttime Login. Also I am sendung one time access codes for Login when password is forgotten. This is the way / the solution for low security web applications.
Higher security web applications I have outside I am using a Login App for Android which can be downloaded at our Service Server. The Customer get`s an invitation, he can now install the app on his mobile phone and we can now store biometrical data. The application has to be enabled in our database. Now when customer logs in he needs to open the application, at this moment the application asks for providing the biometrical informations stored in the app (mostly fingerprint from fingerprint sensor. when and ih the provided password and Login AND the biometrical Data are correct, (if they are correct the App sends to the server via api an ok) the login is done.
Third way: implementastion of oAuth which is also not too complex to be done for middle level security. The oauth implementation comes with google login so there are many possible ways depending on your needs for site security.
For oAuth Tarek Oraby wrote a good vaadin tutorial which you can find here:
Have fun 
OMG noooo thats awful
pretty much any login source will give you the tools needed for free. Microsoft, Google, Facebook, etc etc. I can’t imagine a scenario where I’d need to pay 44k/year
edit: i take that back. Pushing liability to someone else is a reason.
yeah the “starting at 44,000 a year” kind of choked me up
Descope looks to have a decent API we can/could possibly use via REST API calls
Will bookmark that and then see what client wants to do
Simple for people to use it definitely a goal
In most cases we use a similar email - verification code system as described above.
For our more sensitive WebApps we’ve already implemented FIDO2 Passwordless Authentication, and the rest will follow.
Reason: we already have clients who do not buy our WebApps because they don’t at least cover 2FA (because of their internal policies).
we’ve started leaning into supabase for backends, and might switch, completely.
here is their section on auth, including third party providers, pricing, etc.