Monday, January 20, 2014

Apple App Store Rejects Web-Based Login Applications

I'm a big believer in federated logins- when smaller apps delegate logins to a well-known & trusted third party (like Twitter, Facebook, etc). This is partly because I'm strategically lazy (and a good auth system is not easy), but primarily because I believe the "yet another password" or "password hell" issues that users face are very real. Every time you ask a user to remember another account and password, there's a couple of common reactions:

  1. The user will simply walk away (most common)
  2. They will create an account, but they will reuse a password they've used elsewhere
  3. They will create an account and a unique password, but will have difficulty remembering it and will:
    • Write it down somewhere (!)
    • Use a ridiculously simple password
    • Forget it and depend on password recovery later on
Sure- there are the power users that have mnemonics or other patterns to create memorable and secure passwords, but that's exceedingly rare. So with that said, I tend to favor asking a user to use a login that they're already likely to remember. This relationship is even better when the big guys, like Google, already offer a battle-tested platform complete with great add-ons like 2-factor authentication.

So imagine my surprise to see that Apple is rejecting apps that use federated authentication!