I lost two weeks by using Google Auth and Auth0

I lost two weeks of my life by following this advice: “use other tools to save time, release faster”.

The initial setup and the interest I’ve been paying since then make it one of my most painful mistakes.

My first mistake: Google Auth

I like using Google Auth myself. It makes the signup process much faster and more convenient (yay, no passwords!).

I spent a day implementing it for Syften. I decided it was enough to start with and released the first version of my app.

A few users complained that they wanted to be able to create an account with a login and password. Despite the complaints, they logged in with Google Auth anyway. I added that to my to-do list but didn’t prioritize it for now.

Being the typical coder-founder that I was though, I somehow thought that adding more auth methods, such as Twitter and GitHub, would be a great thing to focus on next. But those weren’t as well documented and caused me a headache to implement. Which lead me to…

My second mistake: Auth0

Auth0 is an online tool that describes itself as: “Basically, we make your login box awesome.”

They promised to alleviate all of my problems. Google, Twitter, GitHub, plus login and password - all in one package. They handle forgotten passwords, they send confirmation emails. “Wow, that’s going to save me a ton of work, nice!”.

It took me two days to figure out their UI and have something working. Okay, I wasted almost a week on this by now, but at least I’ll never have to worry about it again, right?

The problem with Google Auth

It turns out that people forget which method they used to create their accounts.

I received way too many support ticket complaining that “it’s saying my account doesn’t exist”.

One time was particularly bad. I was working on new code to clean up old accounts. It’s always stressful to release code that removes something from the database, so I made extra sure everything worked as it was supposed to. I deployed it and went to bed.

In the early morning, I see a support message on my phone: “All my settings have disappeared!”. Suffice it to say, I did not need my morning coffee. I ran to my computer and investigated.

It turned out that the user originally created an account with login/password, and this morning signed in with Google Auth. He saw a brand new account and thought his old one got nuked.

Enough is enough. I did some calculations.

Exactly 1.8% of all of my users created a duplicate account, and just as many raised a support ticket that their account “doesn’t exist”.

If that wasn’t enough, some users logged in with Google Auth, tried the tool, liked it, purchased a subscription, and then wanted to share the login details with their team. In this case, I had to ask them to create a new login/password account and manually copy over the configuration in the database. Half an hour wasted for me and significant annoyance for the user.

The problem with Auth0

It’s problematic for the user

They do nothing to help people remember which auth method they used.

And it’s so easy to do: if someone is signing in with Google Auth, just check if the same email exists in the database. If so - tell the user.

But instead, they happily allow the creation of a new account.

It’s problematic for the coder

They’re very unflexible if you want to use “advanced” features, such as being notified when a user verifies their email address.

You can do that if you learn their scripting language. “Perhaps I should give in and just do it? It’s just one-and-done after all”. Then one day I got an email that they were making one of their js libraries obsolete and everybody must upgrade.

That’s a never-ending time sink if I’ve ever seen one!

It’s problematic for the founder

In an attempt to lock you in, they won’t easily share the password hashes that they collected for your users.

They say it’s for “security” reasons. But isn’t storing the password in a bcrypt hash secure enough?

After paying them, you must email their support. Then they “offer no guarantees” about how fast they’ll respond to your request to export the hashes.

Even if you’re happy to pay their export fees, good luck with your migration. Especially if you had some signups in the time since they sent you the hashes and the time you deployed your new version.

I ended up doing what I should have from the start

I wrote my own login/password auth form.

During login, I ask all existing users to reset their passwords. I don’t support Google, Twitter or GitHub auth anymore. Just plain old login and password.

My brand new login screen

My brand new login screen

I made it as simple as I could. You don’t need to re-type your password, your browser probably generates it automatically anyway. And I don’t need your first name, company name or address. I just need your email and password. I use the same form for login and signup.

Two days of work to migrate. No auth-related support tickets since then.

Bonus

I couldn’t help but laugh when I tried to check out SparkToro. Their system told me I already had an account, so I reset my password and got this email:

I'm sure they're not regretting their decision

I'm sure they're not regretting their decision