https://gadgets.ndtv.com/internet/news/w3c-webauthn-specification-web-standard-declared-2002907

https://www.techspot.com/news/79025-w3c-declares-webauthn-official-security-specification.html

So little comments, yet i'm glad for this. I disliked the twitch login.

Nice work DDB, great addition :)

Keep up the great work.

Is there a benefit for people that normally logging in with Twitch to also connecting to their Google account?

Is there a benefit of forcing players to use a third party login instead of giving them the choice to create a "local" dndbeyond account?

Quote from S4m3 >>

Is there a benefit of forcing players to use a third party login instead of giving them the choice to create a "local" dndbeyond account?

 The benefit of 3rd party login is supposedly one of safety. By using a 3rd party, the 1st party is no longer storing a password on their site; they store a token. That token only works on the one site. So the scenarios are:

• Someone hacks into the website and gets your password (which may or may not be encrypted). A password that may also be used on countless other sites compromising you all over the net.
• Someone hacks into the website and gets your token. That token is just a non-reversible blob of characters that only grants access on the 1st party site.

So for people that don't want to come up with passwords for every site they visit, it is a reasonable option. For the 1st party, it's one less thing they need to worry about. Personally, I would rather have a unique password for every site as I just store it all in a password manager. But for the less technically inclined, it works.

Quote from BadEye >>

Quote from Cyberfunkr >>

Quote from S4m3 >>

Is there a benefit of forcing players to use a third party login instead of giving them the choice to create a "local" dndbeyond account?

 The benefit of 3rd party login is supposedly one of safety. By using a 3rd party, the 1st party is no longer storing a password on their site; they store a token. That token only works on the one site. So the scenarios are:

• Someone hacks into the website and gets your password (which may or may not be encrypted). A password that may also be used on countless other sites compromising you all over the net.
• Someone hacks into the website and gets your token. That token is just a non-reversible blob of characters that only grants access on the 1st party site.

So for people that don't want to come up with passwords for every site they visit, it is a reasonable option. For the 1st party, it's one less thing they need to worry about. Personally, I would rather have a unique password for every site as I just store it all in a password manager. But for the less technically inclined, it works.

Your response is more or less on point.

I would also add that we will never be able to invest in security to the degree that trusted third-party authentication providers (like Google) do. It is more secure for DDB users to log in using the third-party provider due to this, and we prefer to err on the side of safety.

Thanks!

What about the WebAuthn standard that I keep asking about in multiple mediums but never get an answer on?

Probably too much of a hassle right now for a feature that <1% of users would use.

I can understand it from a dev perspective. In a perfect world having one or a few trusted entities that enables token login is a superior authentification method for this kind of website when it comes to a balance of convenience and security. That being said, I got quite a bunch of security minded nerds in my dnd circle and they scoff at dndbeyond because of the forced Google/Twitch login. If a healthy internet is somewhat important for you than this is a really exemplary hill to die on.

Last but not least, I much prefer Google authentification over the forced Twitch accoun we had until now, so thanks for this addition & keep up the great work! The proof will be in the pudding and so far the great things always outweighted the bad things.

I want to echo what everyone said about password management being hard. Passwords need to be hashed so if a security breach happens an attacker can't easily work out everyone's passwords. Hardware gets better every year, so you also need to adjust the strength of your password hashing over time to compensate, which means you need to have a strategy for transitioning the older passwords that were hashed at a lower strength. Ideally any service provider will offer two-factor authentication, but that also requires effort on the developer side. Database backups will have passwords in them too, which adds to the risk.

Most people will happily give the same password to hundreds of websites, and it only takes one security breach on any of them for their online life to be taken over. It makes a lot of sense to offload the problem of authenticating you to a trusted third party that offers two-factor authentication so even if someone finds out your password, they still can't take over your account. And when you do have to give out a password, use a password manager to generate a unique password for each site.