I think we should slightly rethink how login works on most Fediverse apps (Mastodon, Lemmy, but not only) - eviltoast

A while ago I posted a thread back on the

spoiler

spez
::: website, with a personal opinion on why the Fediverse seems a bit complicated. It basically goes like this: Mastodon (and pretty much every Fediverse project out there) is based on the idea of using multiple websites.

This is not really a problem on the desktop, as you’re using the browser to log in to the Fediverse. You go to mastodon.social or lemmy.world, maybe bookmark these, and you log in as normal (if you do not check the remember me option at login). Same goes with Facebook, with Xitter, with the

spoiler

spez
::: website etc.

Alright, but the newer generations (not everyone, but many folks part of them) rather use apps instead. And what do these apps do? Present a login screen with fields only for the username and the password (at most).

What are the Fediverse apps doing? They are also asking for the website where they would log you in. So you go open e.g. the Mastodon app, then type the website that you need to access (which in many cases it might not contain the word Mastodon in it), and only then you can enter the credentials.

What am I asking now (especially app developers): Wouldn’t it be better (if doable) to take some cues on how actually email (and XMPP for that matter) works, and ask the user for the username and the password instead in one go?

Like, everyone knows how to use email, everyone is familiar with that. And as I mentioned, XMPP is also doing it as well:

Gajim account login screen

Wouldn’t it be doable?

  • WhoLooksHere@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    6 months ago

    So who stores the login information? This is fundamentally the question here.

    If you store it centrally you only need to ask for username/password combo.

    But then someone needs to store it at a central location for everyone to check against.

    If it’s not centralized than the user needs to provide it

    Email has a hidden trick up its sleeve and that’s the domain name. In order for an email to be valid, the domain name must contain email info on its DNS records. There’s where you can imply knowledge about where the email/message is to go.

    But here in lemmy, my email is just Gmail. There’s no way to find the information on where authentication could be located. Which brings me back to the top of centralization vs decentralization.

    • marcos@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      6 months ago

      What I understand the idea is to ask you to enter WhoLooksHere@lemmy.world in the username, and your lemmy.world password.

      What I understand is happening (from the comment, because I don’t use apps) is that the app first expects you to choose lemmy.world in a list, and then asks you about your name and password.

      Honestly, I have no idea what is easier for anybody. Both seem very equivalent to me. Also equivalent would be asking the server, username and password on the same screen.

      • Almrond@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        6 months ago

        To be fair, I use Summit and it just gives you one login box with a drop-down menu that has all of the major instances in it. I think it’s an implementation issue more than a design issue

  • NarendraCzar@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    6
    ·
    6 months ago

    My 2c: People find Mastodon/the Fediverse difficult because it was thought for desktop web browsing first. Question

    I don’t know if anyone realized this, but there is a significant difference between logging in to a Fediverse service vs. a centralized service on mobile, compared to logging to a Fediverse service vs. centralized service on the desktop. So let’s round them up. Let’s compare logging in to Facebook vs. logging in to a Mastodon instance (that is not .social, since we strive for decentralization, right?)

    How to log in to Facebook on the desktop:

    Open your browser
    Go to facebook.com
    Enter your login details
    Press Log In
    

    All you need is a username and a password.

    How to log in to a Mastodon server on the desktop:

    Open your browser
    Go to the server website
    Enter your login details
    Press Log In
    

    So far so good, right? Everything seems normal, all the steps are all it takes to log in on both sites. Now let’s switch over to your mobile phone and log in to Facebook (presume you have all the apps needed installed beforehand):

    Open the Facebook app
    Enter your login details
    Log in.
    

    Now let’s switch over to Mastodon:

    Open the Mastodon app (of your choice)
    Type in the server you have your account on
    Enter your login details
    Log in
    

    See the difference? Your app is not an app, but rather a browser as well. Instead of the app directing you wherever you need, you have to tell the app where to go.

    Now, for people like you and me, who might have had the internet experience before the smartphone was so popularized, this might not really be such an issue. We know how to open websites and browse the web. But for those who grew during the smartphone age, this is a significant burden they need to overcome. They need to remember, like, 3 things, instead of just two: the username, the password and the website. This is not necessary for the likes of Facebook (as in my example), where only 2 things need to be known: the username and the password. One less thing to remember is always better.

    And I would also argue that among the former group, there might be also people who might not understand: hey, I downloaded an app, why do I have to type in the website as well in there? Don’t I have a browser if I need to type out websites?

    I intentionally omitted the fact that on the official Mastodon app, you need to select the option to join another server or whatever, so an extra button, in order to simplify things and keep it more in line to how other apps ask you to do.

    So I only see two solutions to this problem, as more and more people access their services via an app, rather than a browser:

    Make the app use the email address of the user and the password, as present on that specific server, and interrogate all servers (would also be a tremendous hassle and might even pose a security threat).
    Make the Fediverse even more like email and ask people only for their Fediverse address and their password - this is also more in line to how email clients work. The user would not have to bother to remember the website name, so that would be an extra.
    

    I also find more fitting to call servers/instances websites instead when talking to absolute beginners, because that’s what any of these people see in front of them when they open a browser. Not a server, not an “instance”, but a humble website where it says powered by Mastodon.

    Here are my 2c about this. What do you think?

  • ericjmorey@discuss.online
    link
    fedilink
    English
    arrow-up
    5
    ·
    6 months ago

    Wouldn’t it be better (if doable) to take some cues on how actually email (and XMPP for that matter) works, and ask the user for the username and the password instead in one go?

    I have to give my email app a lot more information than a username and password. So I’m not sure what you’re envisioning.

  • Noogs@lemmy.noogs.me
    link
    fedilink
    English
    arrow-up
    4
    ·
    6 months ago

    I don’t know enough about the fediverse or Lemmy code to say how easy or hard this would be to implement but if we’re logging in with the username noogs@lemmy.noogs.me for example, it’s reasonable for the app to assume the server is located at lemmy.noogs.me and it can derive the likely URL of https://lemmy.noogs.me from that. The only case this wouldn’t work is if your instance is running on a port other than 443 because then we need some way to tell the app what the port should be.

    Email (or at least Microsoft Exchange email) uses a protocol called autodiscover for this which uses DNS to tell an email client where to get connection information from, it then polls that URL for the information and configures the email client automatically. Using a similar DNS based approach may be useful as well.

  • Kaldo@kbin.social
    link
    fedilink
    arrow-up
    3
    ·
    6 months ago

    I wish i could host my own simple lightweight identity provider and authenticator that is used for fediverse instead of creating accounts everywhere. Relying on fediverse to maintain both content, but also account info, seems like a really bad idea in retrospect (even if one day we get proper ways to migrate accounts but not even Mastodon does that well yet).

    It’s probably be relatively easy to establish services offering these for less tech savvy people later so they can just have a central identity service with which they can roam around in any fediverse they want later.

  • secret300@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    6 months ago

    I mean yeah that would be alright but like… Is it that hard to type a website? And most apps you don’t have to, it’ll list like the top 30 instances to just select from

    • ginerel@kbin.socialOP
      link
      fedilink
      arrow-up
      1
      ·
      6 months ago

      It’s not really hard to type a website, it’s rather hard to remember it. You remember your username. Okay. But where were you? mastodon dot what?

      When you use your full address, it’s not that hard to remember it.

  • h3ndrik@feddit.de
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    6 months ago

    I’d agree. Either have a “Register” link that leads you to a website explaining how to choose an instance and register there. Or maybe a drop-down menu with choices of instances and you can put in custom text if your instance isn’t amongst the defaults. That’s certainly not ideal as it prefers some instances over others, but maybe okay. Regardless, the onboarding process could be easier.

    (And do away with the passwords, I think they’re an annoying concept and should go away for good in the future.)

  • NarendraCzar@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    1
    ·
    6 months ago

    Pixelfed have a simple workaround Finding usernames on servers and choosing between those I’m that Gen-z app only kid and i also use a password manager like bitwarden/keypassxc to store all my passwords