The worst login option is Google and Facebook, because they don’t allow creating separate accounts without identity verification by phone number or by connecting a phone with Google services. For now, other services still allow creating an account without linking your identity, but that won’t last long 😢
That's the point of OAuth, which is what you're seeing there.
The idea is that you're you and you have a... google account. This shitty little website doesn't want to be responsible for you login details, because those can get stolen. Maybe they contain an email address, which is a problem. Software needs to be updated, it's all a big. They don't want to touch anything in terms of security that identifies you as you.
Maybe all the website does is save your favorite pepe memes. They don't need anything else from you, but they still need to have something to get a user id and make sure nobody messes with your pepe meme collection. That's where this system comes in, because the rest of website becomes significantly easier. They don't need to store anything personally identifying, all they get is an ID and they can connect it with your pepes.
The only downside to OAuth is, as you can also see, that it's corpos you don't want to trust that are offering it.
There's really no reason something like that couldn't exist. A foundation would just have to decide to dedicate the resources to it.
The issue is it would have to gain significant adoption in order for web admins to think to include it. This list here is actually a lot larger than you usually see. It's often just the big 2 or 3.
That's... mostly because of popularity and it depends on whether some service is offering OAuth and if the website in question is using THAT identity provider.
Well there is that, but it also gets them potentially a whole bunch of extra info about you, and lets them link you up with data from other sites they may own or share data with.
It does tell you what you're about to give them, but 25+ years in the industry has taught me only too well that nobody ever reads anything ever.
Yeah, some of the same reason everyone uses stripe or PayPal for payment systems. If the site itself handles the cc info it holds all the liability, and has to pass rigorous POC testing and compliance.
Most users outside of Lemmy dgaf about corpos if it saves them having to type in an email address on their phone and get it right and then go to their email and then hit refresh a few times before going back and hitting send again and then checking their spam folder
i saw many that use the email as "convenience", as the user can later login with a magic link (i hate those!) without the oauth or even using another oauth service linked to the same email
Sorry, yes it is. I’d really prefer it if software developers would take this more seriously. Managing user credentials is a high risk burden that you should avoid if possible.
There are open source solutions to handle this effectively, which can be used in most projects; I would change the advice you gave to “ do not roll your own email verification, ever”
I wouldn’t change my advice. Even if you go Argon2id, you still have a creds database to protect. If you let that go it’s just a matter of time before it’s useful.
You could go webauthn, but now we are back to passkey or windows hello or whatever. Which is what I told op, they invented passkey, and it’s Still third party reliance.
Source: I’ve been a software architect for 25 years.
If one cannot protect their database, then there is a lot of other issues going on besides how one authenticates.
Over the years , I’ve read about some security issues with different social logins, and a few of them have been serious. One never knows when the next vulnerability is.
At the end of the day, everything has a vulnerability, and the best way to mitigate against that is best practices, and keeping up with news. That, and a bit of luck.
I have created my own login systems multiple times, and probably violated over a hundred best practices. I don’t know what a best login system looks like, but I have enough experience to find flaws with all of them now. And I am not confident in anything I use. Even if I only use battle tested systems made by large groups of peoples
This is precisely why you should really consider leaning into oauth, your users don’t want another unique password to manage, so guess what, when your creds database gets leaked, it’s not just your site that’s getting screwed.
Look, with new ai tools, security is a very scary place to live. I wouldn’t blow this off. Let the companies that invest millions in it manage this piece for you.
I've reached that point as well. Every new thing I sign up for I use an alias email, because I'm certain they'll sell my shit at some point, and I'd like to be able to know who did it.
If you use the same Google account for a bunch of different third party websites, Google gets to associate your activity on those websites to you, giving them more points of data about you. They wouldn't offer themselves as a login option if they didn't make money out of it.
Also if you use your Google email for many other services it becomes even harder to ditch Google afterwards.
Yes, I prefer an Email/password, too, so to depend less on third-parties, and keep it more transparent.
Yet, OAuth/OpenID is significantly easier legally and financially than Email processing (even via outsourced services as MailChimp) and store someone's personal information as Email address in databases, if compared to a social account ID, in long term.
Not only that, but OAuth providers have APIs to get sufficient User information, and regularly actualize, including: Name, Email (yet, by requested/allowed scope only), activity on that social network as posts/channels/followers count etc., which may be a requirement for their Staff/algorithms to determine the priorities for transactions/support and/or security involved.
This right here. I'd rather my email stay the source of truth for auth, but totally sympathize with website owners that don't want to store and protect any sensitive user data (like an email address and password).
I do wish some sites would offer the magic link option if they don't want to keep password hashes. It has problems too, but can be a simple way sometimes.
On some level I know the OAuth flow should be pretty safe. The idea that I have one identity that gets me into multiple sites makes a lot of sense. And I'm already using the same email in most places, so it's not like I'm anonymous anyway.
And yet... I can't convince my paranoia that 'sign in with Google' isn't oversharing. I always worry that authorizing with other sites will give too many permissions to see/alter Google/whatever data, or that clicking it will take me to a fake Google/whatever page where I give away my creds.
per oauth spec you get told what is shared. usually it's just your user id (which often is email or username), i haven't seen crazy scopes in the wild in a while
Some services even have an option to only share a dummy email and not your real. Apple for example does this, so all the site gets is "[email protected]" (don't know the exact format). And it is only tied to your real email address on apple's side
If i cant log in with an independent email then I'm not logging in.
I had the same problem yesterday as I was investigating tailscale. And while I get it for that service, there's no reason for some of the other services that ask me to link my other accounts to them as a means of logging in.
No. I will not consolidate my log-in profiles under companies that dont see me as a person, care about my privacy, and are working with hostile governments to track me.
I hate that I can't change the auth method. I'm stuck with github. And for the life of me can't figure out how to change to anything else. The option is not there were help says it should be, and support doesn't care. My only choice is to scrap everything and start a new network from scratch.
I can see how they got there from the implementation side. There's a library they used for their site, maybe a CMS, where all those choices are just a click away. But for email they have to get their hands on an SMTP server. And that takes non-zero effort.
I feel conflicted. OAuth gets a lot correct in so far as most sites don't have to deal with a lot of difficult auth bits, but also I don't like having to rely on big (usually social media) companies to be the auth source.
I think about dnssec a lot.
It feels to me like there should be some form of public key infrastructure where there is a global root key (or short list of) then providers that can issue certificates out to other smaller organizations or individuals who could then use that source of trust to prove who they are. Imagine OAuth but you could just fill in your provider of choice (self hosted?) and if the certs checked out everything would verify correctly.
That being said who does the bits around ensuring that you are who you say you are. I suppose a government body running such a system could work though I sweat at the idea of going to the dmv to reset a forgotten password or report a stolen identity.
Idk maybe if I think about this enough I can come up with a cryptography secure system...
In the EU, plenty of national ID systems exist. A world where a unified standard exists for these systems and I can just use the "EU login" standard instead of having to rely on a specific (usually American) vendor to manage my auth would be great.
VK is a Russian Facebook equivalent, invented by Pavel Durov who himself was eventually cast out of Russia and went on to build and run Telegram. I think he's in France.
I've always thought it was amazing that Pornhub offers to let you sign in with something -- I can't remember if it was Google or Facebook or something.
There really can't be many people who use that, can there?
They get less info… oauth is used do you can handle less customer data and so you don’t have to worry about leaking a bunch of usernames and passwords…
Because we are employed developers and this is what the bosses wanted. There are lots of things I made that make me facepalm or I think is stupid but im a peon and my only other option is to find a different job. Where there will also be dumb shit I have to code for a paycheck.
Also it kinda depend on how much you trust the website security and how much precaution you have. For general public who don't really know how to protect themselves against hacking and databreach(those who might not know the existence of password manager), the option of letting a giant corpos handle the login is much better than to just blindly trust the website.
Also money.
Also the website might not want to build and maintain their own database for this(which cost money), so they outsource the login to other company.
I want to login with my butthole print. Did you know that no butthole is the same?
Problem is with general cleanliness. Like the Japanese with their bidet's, they wouldn't have a problem signing in because the print is always a clean print.
There's also hemorrhoids and other temporary deformations of the butthole that take some time to repair. I mean with hemorrhoids you'll be waiting there for a week. But what if you just had a big poop. Well, it might help deter criminals trying to ping the machine too quickly.
A SAML token verification can be implemented correctly in under 50 lines of code. (Without needing anything beyond a basic crypto library for decryption and signature checks ) then you just have a SAML identity to user account mapping table (so that they can have multiple SAML providers and retain access or switch between different accounts).
But yeah, some shady sites use it to get your name and other information. (Which SAML providers should properly inform you about, as they are the ones packing that data based on what the receiving has registered)
not 100% related but i think login should be less user friendly
"here take this 512 byte hash and store it and it's you and if you lose it or have it stolen i couldn't care less"
email verification is hard to do right (as said in top reply), oauth is annoying to get set up but more secure and all big providers have fancy recovery and login methods
I very much agree. I've always loved how Mullvad VPN and SMSPool have handled logins in this kind of fashion. It's just much more convenient than e-mail + password.
Apple’s presence is good because it’s a privacy anonymizing service that obscures your email and forwards anything to an email of your choice and logins/connections can be deleted at any time.
And it was introduced in response to the long existing proliferation of login with Google and Facebook and similar schemes. They forced it using their App Store because otherwise no company would go for the user identity obfuscation over the already existed for years privacy invasive alternatives. Apple came late and forced companies to allow their privacy obfuscation alternative. Note: though it often is more private some sites can request additional data from Apple same as from Google and Facebook such as your name. Apple is no worse and often better overall as a choice just the same though it’s best to avoid these types of login IMO.
I'm sorry that you feel the need to attack me personally to defend a faceless trillion dollar corporation that's "having your best interest at heart"
Let's lay out the facts:
Apple is now sellings ads and harvesting data
Thay are gutting the icloud private mail feature soon
If they really care about others invading user privacy with that feature is the correct response implement the same thing and harvesting the same data?
They will not give you brownie points for this post
Feel free to take these (or not). I have my conviction and you have yours. I'm not looking to change it.
The worst login option is Google and Facebook, because they don’t allow creating separate accounts without identity verification by phone number or by connecting a phone with Google services. For now, other services still allow creating an account without linking your identity, but that won’t last long 😢
Harder, actually.
That's the point of OAuth, which is what you're seeing there.
The idea is that you're you and you have a... google account. This shitty little website doesn't want to be responsible for you login details, because those can get stolen. Maybe they contain an email address, which is a problem. Software needs to be updated, it's all a big. They don't want to touch anything in terms of security that identifies you as you.
Maybe all the website does is save your favorite pepe memes. They don't need anything else from you, but they still need to have something to get a user id and make sure nobody messes with your pepe meme collection. That's where this system comes in, because the rest of website becomes significantly easier. They don't need to store anything personally identifying, all they get is an ID and they can connect it with your pepes.
The only downside to OAuth is, as you can also see, that it's corpos you don't want to trust that are offering it.
Okay, but where is the link to this Pepe memes page?
Yeah show us deh memes
Unfortunately that was just an example.
While I get that, it is still unfortunate that no open-source, trusted variant can be part of the usual ways.
There's really no reason something like that couldn't exist. A foundation would just have to decide to dedicate the resources to it.
The issue is it would have to gain significant adoption in order for web admins to think to include it. This list here is actually a lot larger than you usually see. It's often just the big 2 or 3.
I might trust Mozilla and I already have an account...
That's... mostly because of popularity and it depends on whether some service is offering OAuth and if the website in question is using THAT identity provider.
For example, mastodon is technically offering it.
https://github.com/mastodon/mastodon/pull/16221
but this is the docs page:
https://docs.joinmastodon.org/admin/optional/sso/
So the answer in this case is to just grow, promote and support what we're already doing: fediverse stuff.
Even something like bitwarden would be nice
Exactly!
They can? They are in some cases!
Just usually indie stuff. There's Login With Mastodon on plenty of websites.
Actually, there are some open-source self-hosted alternatives like Hydra but no one implements it :( I have seen only 1 site that support it
Was just about to say getting Auth right is super hard. Getting someone else to do it for you is a godsend.
Well there is that, but it also gets them potentially a whole bunch of extra info about you, and lets them link you up with data from other sites they may own or share data with.
It does tell you what you're about to give them, but 25+ years in the industry has taught me only too well that nobody ever reads anything ever.
Yeah, some of the same reason everyone uses stripe or PayPal for payment systems. If the site itself handles the cc info it holds all the liability, and has to pass rigorous POC testing and compliance.
I have no account with the above. I wouldn't make one for being able to use another service.
No idea what the product is here, but I guess I'm not their target audience. Which is fine.
Just have a spam account?
[email protected] for e.g.
That's the OP's point - logging in by email is not an option.
A gmail account is a Google account.
I said email, not gmail.
There are thousands and thousands of email providers. Gmail is only one of them.
And even if your email is a gmail account, you may not want to associate your google account with the service, just the email address.
They're saying get a spam Gmail account then you can use it for oauth.
Use a fake email as my id? No, I'm not doing that.
Most users outside of Lemmy dgaf about corpos if it saves them having to type in an email address on their phone and get it right and then go to their email and then hit refresh a few times before going back and hitting send again and then checking their spam folder
But most oauth implementations use the user email as identifier so they get the email anyway
All the smarter ones don't because an email can change, your google account unique id will not, that's the purpose of account IDs.
I won't deny that many people/websites probably do use email though. Which is bad. But I can't deny that that probably is what is happening.
i saw many that use the email as "convenience", as the user can later login with a magic link (i hate those!) without the oauth or even using another oauth service linked to the same email
I don't know, man, I don't want anyone that doesn't understand or doesn't give a shit about security trying to implement it.
That's just a recipe for bad things.
It reminds of this:
There were more options on the website, but I forgot the name of the website, and I cannot find it now... :(
This is the one that came to my mind. Much funnier
Finally! I can log in using potatoes 🥔
What!? I can't even log in using my PornHub credentials? Fucking amateurs.
Don't worry. That option was there as well.
However, depending on the website it may require your watch history before allowing you to login.
How is it login with YouTube and login with Google two different things. It's the same login.
What website is this?
It's kirka.io.
Kirka rolling in his grave
Securely? Very fucking difficult.
No it’s not.
securely
Sorry, yes it is. I’d really prefer it if software developers would take this more seriously. Managing user credentials is a high risk burden that you should avoid if possible.
There are open source solutions to handle this effectively, which can be used in most projects; I would change the advice you gave to “ do not roll your own email verification, ever”
I wouldn’t change my advice. Even if you go Argon2id, you still have a creds database to protect. If you let that go it’s just a matter of time before it’s useful.
You could go webauthn, but now we are back to passkey or windows hello or whatever. Which is what I told op, they invented passkey, and it’s Still third party reliance.
Source: I’ve been a software architect for 25 years.
If one cannot protect their database, then there is a lot of other issues going on besides how one authenticates.
Over the years , I’ve read about some security issues with different social logins, and a few of them have been serious. One never knows when the next vulnerability is.
At the end of the day, everything has a vulnerability, and the best way to mitigate against that is best practices, and keeping up with news. That, and a bit of luck.
I have created my own login systems multiple times, and probably violated over a hundred best practices. I don’t know what a best login system looks like, but I have enough experience to find flaws with all of them now. And I am not confident in anything I use. Even if I only use battle tested systems made by large groups of peoples
This is precisely why you should really consider leaning into oauth, your users don’t want another unique password to manage, so guess what, when your creds database gets leaked, it’s not just your site that’s getting screwed.
Look, with new ai tools, security is a very scary place to live. I wouldn’t blow this off. Let the companies that invest millions in it manage this piece for you.
If I don’t have the option to use email or continue as guest I refuse to use whatever the site or app is.
Is bugmenot still a thing?
Died years ago.
Rip
I've reached that point as well. Every new thing I sign up for I use an alias email, because I'm certain they'll sell my shit at some point, and I'd like to be able to know who did it.
Datamining.
What do they get that you wouldn't get from signing up regularly ?
If you use the same Google account for a bunch of different third party websites, Google gets to associate your activity on those websites to you, giving them more points of data about you. They wouldn't offer themselves as a login option if they didn't make money out of it.
Also if you use your Google email for many other services it becomes even harder to ditch Google afterwards.
and what does that have to do with the random website that uses it for oauth?
The website doesn't have to handle the code and security for their own login system, which reduces costs for them too.
right… so it’s not data mining it’s just easier to maintain
somehow op has 46 upvotes for something that’s wrong
Easier to maintain for the website. Data mining for the login partner.
Money.
Yes, I prefer an Email/password, too, so to depend less on third-parties, and keep it more transparent.
Yet, OAuth/OpenID is significantly easier legally and financially than Email processing (even via outsourced services as MailChimp) and store someone's personal information as Email address in databases, if compared to a social account ID, in long term.
Not only that, but OAuth providers have APIs to get sufficient User information, and regularly actualize, including: Name, Email (yet, by requested/allowed scope only), activity on that social network as posts/channels/followers count etc., which may be a requirement for their Staff/algorithms to determine the priorities for transactions/support and/or security involved.
This right here. I'd rather my email stay the source of truth for auth, but totally sympathize with website owners that don't want to store and protect any sensitive user data (like an email address and password).
I do wish some sites would offer the magic link option if they don't want to keep password hashes. It has problems too, but can be a simple way sometimes.
On some level I know the OAuth flow should be pretty safe. The idea that I have one identity that gets me into multiple sites makes a lot of sense. And I'm already using the same email in most places, so it's not like I'm anonymous anyway.
And yet... I can't convince my paranoia that 'sign in with Google' isn't oversharing. I always worry that authorizing with other sites will give too many permissions to see/alter Google/whatever data, or that clicking it will take me to a fake Google/whatever page where I give away my creds.
Technically, using an email and password is being dependent on more 3rd parties to keep your information safe.
Third parties that are getting one of maybe 6 emails and a unique password?
I'll take my chances.
If you log in with social media, they get more than your email address. Data mining.
They do not, normally, unless you specifically allow that. Yet, indeed, many services enable/require quite permissive scopes by default.
so they mostly do…
per oauth spec you get told what is shared. usually it's just your user id (which often is email or username), i haven't seen crazy scopes in the wild in a while
Some services even have an option to only share a dummy email and not your real. Apple for example does this, so all the site gets is "[email protected]" (don't know the exact format). And it is only tied to your real email address on apple's side
Regardless of your privacy choices, if you are using a shared login, that activity is connected with your broader profile.
If i cant log in with an independent email then I'm not logging in.
I had the same problem yesterday as I was investigating tailscale. And while I get it for that service, there's no reason for some of the other services that ask me to link my other accounts to them as a means of logging in.
No. I will not consolidate my log-in profiles under companies that dont see me as a person, care about my privacy, and are working with hostile governments to track me.
Semi-Anonymous or nothing. Period.
I host my own headscale instead
I believe they have passkey as an option now
I hate that I can't change the auth method. I'm stuck with github. And for the life of me can't figure out how to change to anything else. The option is not there were help says it should be, and support doesn't care. My only choice is to scrap everything and start a new network from scratch.
I can see how they got there from the implementation side. There's a library they used for their site, maybe a CMS, where all those choices are just a click away. But for email they have to get their hands on an SMTP server. And that takes non-zero effort.
Exactly this
I feel conflicted. OAuth gets a lot correct in so far as most sites don't have to deal with a lot of difficult auth bits, but also I don't like having to rely on big (usually social media) companies to be the auth source.
I think about dnssec a lot.
It feels to me like there should be some form of public key infrastructure where there is a global root key (or short list of) then providers that can issue certificates out to other smaller organizations or individuals who could then use that source of trust to prove who they are. Imagine OAuth but you could just fill in your provider of choice (self hosted?) and if the certs checked out everything would verify correctly.
That being said who does the bits around ensuring that you are who you say you are. I suppose a government body running such a system could work though I sweat at the idea of going to the dmv to reset a forgotten password or report a stolen identity.
Idk maybe if I think about this enough I can come up with a cryptography secure system...
You just invented passkey with oauth.
In the EU, plenty of national ID systems exist. A world where a unified standard exists for these systems and I can just use the "EU login" standard instead of having to rely on a specific (usually American) vendor to manage my auth would be great.
Just as long as it can be run in capitalism!
That's like every freaking store offering me a "points" plan. All this shit is getting out of hand already.
I've always hated that shit. Why would I want to add dependencies to my fucking logins?
VK? The Russian porn site?
What is VK?
I believe it's vkontakte, basically a russian facebook.
Oh TIL
VK is a Russian Facebook equivalent, invented by Pavel Durov who himself was eventually cast out of Russia and went on to build and run Telegram. I think he's in France.
No, he ist in Dubai
Ah, the easiest way to know if someone is an asshole.
- https://vk.com/
- https://vkvideo.ru/
- https://live.vkvideo.ru/
- https://id.vk.com/about/id
Well I'm not clicking that
Used to be real good for leaked music, specifically EDM stuff. I'm not as into the scene as I once was so I dunno if that remains.
"Oderint dum metuant", indeed.
Mkay...
Sounds like an STD.
It is.
#feudalism
I dislike sites like this, I usually click away or just don't sign up
Oauth should become federated, just as email.
Then the browser should generate the buttons based on which oauth services you actually use.
Aren't you just describing OpenID at that point? Implementation and adoption has been uneven, but the standard complements OAuth.
The problem is the activitypub and Oauth are two very different ideas... one is so posts from one server show up on another and one is who are you?
How would you store and trust private keys?
Whatever site that is, I dont need to be there.
Guess I’m not logging in
Can I login with Pornhub?
I've always thought it was amazing that Pornhub offers to let you sign in with something -- I can't remember if it was Google or Facebook or something.
There really can't be many people who use that, can there?
Because for the vast majority of people yet another password, or even yet another 2FA code is an anti-feature.
Collecting as much data they possibly can to increase the value of the data. Bottom line: more info=more money
They get less info… oauth is used do you can handle less customer data and so you don’t have to worry about leaking a bunch of usernames and passwords…
No login with GitHub or X? Tsk tsk
People need to stop using xitter
I haven’t “used it” in years. I just keep the account alive because of OAuth and other factors.
Because we are employed developers and this is what the bosses wanted. There are lots of things I made that make me facepalm or I think is stupid but im a peon and my only other option is to find a different job. Where there will also be dumb shit I have to code for a paycheck.
Money.
Also it kinda depend on how much you trust the website security and how much precaution you have. For general public who don't really know how to protect themselves against hacking and databreach(those who might not know the existence of password manager), the option of letting a giant corpos handle the login is much better than to just blindly trust the website.
Also money.
Also the website might not want to build and maintain their own database for this(which cost money), so they outsource the login to other company.
And also money.
I want to login with my butthole print. Did you know that no butthole is the same?
Problem is with general cleanliness. Like the Japanese with their bidet's, they wouldn't have a problem signing in because the print is always a clean print.
There's also hemorrhoids and other temporary deformations of the butthole that take some time to repair. I mean with hemorrhoids you'll be waiting there for a week. But what if you just had a big poop. Well, it might help deter criminals trying to ping the machine too quickly.
American high-school athletes in conservative states: Log in with genital verification.
Right? It's demented!
A SAML token verification can be implemented correctly in under 50 lines of code. (Without needing anything beyond a basic crypto library for decryption and signature checks ) then you just have a SAML identity to user account mapping table (so that they can have multiple SAML providers and retain access or switch between different accounts).
But yeah, some shady sites use it to get your name and other information. (Which SAML providers should properly inform you about, as they are the ones packing that data based on what the receiving has registered)
I have seen multiple implementations of SAML logins, and I have never seen one with less than 500 LoC, and mutliple layers of complexity.
On the other hand I have migrated some (1 i did myself, 2 i just witnessed) of these SAML logins to oauth, and then it became actually 50 LoC.
Were they generated by chatGPT?
no.
Cos fuck you, that's why.
not 100% related but i think login should be less user friendly
"here take this 512 byte hash and store it and it's you and if you lose it or have it stolen i couldn't care less"
email verification is hard to do right (as said in top reply), oauth is annoying to get set up but more secure and all big providers have fancy recovery and login methods
no oauth? get the hash or go away
I very much agree. I've always loved how Mullvad VPN and SMSPool have handled logins in this kind of fashion. It's just much more convenient than e-mail + password.
The apple one is enforced by apple if you want to go on the app store. The rest follows. Personally I blame apple for starting this bullshit.
Then you’re very ignorant.
Apple’s presence is good because it’s a privacy anonymizing service that obscures your email and forwards anything to an email of your choice and logins/connections can be deleted at any time.
And it was introduced in response to the long existing proliferation of login with Google and Facebook and similar schemes. They forced it using their App Store because otherwise no company would go for the user identity obfuscation over the already existed for years privacy invasive alternatives. Apple came late and forced companies to allow their privacy obfuscation alternative. Note: though it often is more private some sites can request additional data from Apple same as from Google and Facebook such as your name. Apple is no worse and often better overall as a choice just the same though it’s best to avoid these types of login IMO.
I'm sorry that you feel the need to attack me personally to defend a faceless trillion dollar corporation that's "having your best interest at heart"
Let's lay out the facts:
Feel free to take these (or not). I have my conviction and you have yours. I'm not looking to change it.
Wtf is the difference between login with google and login with YouTube?
You could technically have a youtube account older than Google's purchase of it that would not also work for the Google login.
Because data collection. Trade simplicity for data collection.
Can I log in via dick cage?
I guess the silver lining is ya can get 7 months of any "1 month free" subscription without having to create a new account.