20
26 Comments

I Made a Mistake That Costs me 612 Users

  1. 5

    In today's world I pretty only use federated login providers. The reason being is that they offer at least 3 factor auth, I don't need a new password, and no verification frow.

    Verifying your email is critical otherwise people will exploit your interface to spam others. I can make tons of accounts with others emails, and you will email them. That's a great way to hit others and punish you in the process, driving your email domain reputation down. Another problem with this is flow, you don't ever want to force the user to leave the app to go to email to sign up, this has the same problems as passwordless authentication using email. If you force them to leave, they probably will never come back.

    Skipping the password flow is critical, and another good thing to know about app versus desktop is typing anything let alone repeating the same characters is huge pain. Your app will not get users if you force everyone to enter a password, it has to be click to log in. Your app is not important enough to require my remembering a password to fill (password managers on mobile still suck). If you really want a password, allow them a short pin, and fallback to biometrics.

    1. 3

      I only use federated too. Login and signup with google in 2 clicks .. can’t beat it

      1. 2

        Definitely, although if you are planning on linking many IdPs together, I definitely have to recommend Authress :wink:

        1. 1

          In what way do you prefer Authress to AuthO?

          1. 1

            It really depends on your needs, focus on different areas of auth, and have different pricing models. For instance if you need IAM and granular permissions access then Authress. If you need to support enterprise connections to legacy clients, Auth0. If your users sign on once a week or once a month, Authress (because of usage-based billing). If the users are signed in 100% of the time Auth0 (MAU based billing). Similarly do you have users in multiple regions which need to support region based user identities => Authress. Or do you intended to create many identity servers with different issuers => Auth0.

            And just to note Auth0 and Auhress aren't the only players here, there's Cognito, Firebase, Keycloak, and others that are less well known. It really depends on which features are important for your app.

      2. 1

        whats better? fb, google or both?

        1. 2

          You can pull in a product like Auth0 or as the other poster mentioned, Authress, and then you don't need to make a decision like that. You support which ever ones your audience needs without having to do any extra work.

        2. 2

          I would look at your audience first - in my case I was doing an integration with google sheets so it made sense to have google auth because all of our users definitely had a google account, and I didn’t bother with Facebook. I don’t know which one is “better” if you mean for security, ease of setup, reliability, etc... luckily in my case it was irrelevant. I would just go with one auth provider until people ask for a second, but that’s just me being lazy and calling it “lean” lol

          1. 2

            Nah, that's a good strategy for avoiding technical debt.

            But - with a solution like Auth0 you can get the benefit of multiple providers without the additional technical debt, as the abstraction layer makes their differences meaningless.

            1. 1

              Good point. I’ve only used AWS amplify because I wanted the whole shebang: graphql database + auth + s3 storage

        3. 1

          I personally say both! Give users any option that makes their life easier.

    2. 1

      Interestingly, I bounce immediately if it's federated login only. I don't trust Google, or Apple, or whoever else with that information. I use 1Password, so it's basically zero friction for me to generate and save.

    3. 1

      Definitely working on adding these in asap. Lesson learned for the future, I really don't know why I tried anything else.

      Thanks for your detailed message.

    4. 1

      i'm enjoying magic link.

  2. 4

    Sometimes i hate people. Rating a new and innovative App 1 Star because the login flow is not as they expected is just pure BS.
    This is the same as rating a Game 1 Star because you do not like the launcher.

    I feel sorry for you but please do not take this too serious! Your idea is great, this is something that doesn't exist yet and i really love the idea. It is also great discovering new movies you can watch on one platform for all the platforms you signed up for!

    Rating one Star because one of 100 Features is not working correct is the sad truth about our society. I know why people only wanna do B2B projects and not B2C.

    Keep it up!

    1. 3

      You raise a good point! But one thing is certain: those who rate your app (technically an MVP) 1-star are not your ideal early adopters. When I first published my Chrome extension, it was riddled with bugs, UX was laughable and sometimes it even got in a state where you needed to completely uninstall/reinstall it to get it working again. But I chose very carefully in which communities to share it. Several people tried it out, and when I asked them to give a review, a few of them pointed out that they rather not write a review now, but once I fixed some of the problems they mentioned. I did that, followed up with all of them, and got my decent reviews. :)

      1. 1

        This is great advice, Robert. I think a gradual launch strategy is totally the way to go for apps like this.

    2. 1

      Thank you, I appreciate it :)

      I definitely felt this frustration when someone replied to me "I love your app, but ____" 1 star

  3. 2

    You're fine mate, don't take hackernews traffic to be any form of validation.

    Keep your head up and keep smashing it! Its only been a month, a long road ahead!

  4. 2

    Yeah, I can totally relate! I used to do the same thing. I even reinvented the wheel and implemented my own OAuth2 server and flows. Nowadays, I rely on Firebase and support several social providers. And I don't even send confirmation mails when the user chooses to sign up via email/password. Oh, and I lol'd hard at "You can download and uninstall my app here." :D

    1. 1

      Definitely switching over to Firebase auth, didn't know about it beforehand.

      Thanks for laughing at my joke!

  5. 1

    Seems you're still anti password manager 😬 On Android, Autofill doesn't show automatically and when trying to use tap and hold to open it manually Android says it cannot be filled. Have a look at this. Just need to set a couple of attributes on the UI elements.

    https://developer.android.com/guide/topics/text/autofill-optimize

    Almost seems you don't want people to try the app 😬. Think of a 11 year old wanting to try it and what barriers there are to them. I'm excited to try it. We can never find anything to watch with our daughter.

    Maybe don't have authentication at all. I'm guessing there isn't any private info. You could maybe generate unique links for each user that they can text to each other. Like referral links.

    I hope that's helpful.

  6. 1

    Thanks for sharing. I hope you’ll recover from this. 🙏

    1. 2

      I will! I only launched a month ago :) thank you very much!

  7. 1

    Really useful insights here!! It's great your sharing this information.
    Thank you!

    1. 1

      Thank you for reading; I'm glad you find it useful!

Trending on Indie Hackers
Customer acquisition when broke... 17 comments Facebook is (becoming) the new Yellow Pages 9 comments Nutshell Live, Saas for live session, ask for the landing page feedbacks from IH Community 🔥 8 comments How do you read this logo? 6 comments What's the biggest challenge you face? 5 comments How do I Build a Beverage Company in Public? 2 comments