April 17th, 2019
You can now link and sign in with a Google account on D&D Beyond.
For existing D&D Beyond users, ensure you are signed in with your Twitch username (as usual), navigate to the Account page (dndbeyond.com/account), and click the Google button to choose one of your accounts to link.
All newly-created accounts going forward will be through Google as well. If you create a new account with Google and wish to link a Twitch account, you can also do that through the Account page. This would be important if you want to use the D&D Beyond Twitch Extension.
I also put together a short video to walk through the process that you can see here.
Please Note
At this time, signing in to beta test the DDB mobile app requires a linked Twitch account. This will change over the course of the next week to mirror the website, but if you create an entirely new account through Google, you will need to link a Twitch account to access the mobile app in the meantime.
https://gadgets.ndtv.com/internet/news/w3c-webauthn-specification-web-standard-declared-2002907
https://www.techspot.com/news/79025-w3c-declares-webauthn-official-security-specification.html
So little comments, yet i'm glad for this. I disliked the twitch login.
Nice work DDB, great addition :)
Keep up the great work.
Is there a benefit for people that normally logging in with Twitch to also connecting to their Google account?
Is there a benefit of forcing players to use a third party login instead of giving them the choice to create a "local" dndbeyond account?
The benefit of 3rd party login is supposedly one of safety. By using a 3rd party, the 1st party is no longer storing a password on their site; they store a token. That token only works on the one site. So the scenarios are:
So for people that don't want to come up with passwords for every site they visit, it is a reasonable option. For the 1st party, it's one less thing they need to worry about. Personally, I would rather have a unique password for every site as I just store it all in a password manager. But for the less technically inclined, it works.
Your response is more or less on point.
I would also add that we will never be able to invest in security to the degree that trusted third-party authentication providers (like Google) do. It is more secure for DDB users to log in using the third-party provider due to this, and we prefer to err on the side of safety.
Thanks!
What about the WebAuthn standard that I keep asking about in multiple mediums but never get an answer on?
Probably too much of a hassle right now for a feature that <1% of users would use.
I can understand it from a dev perspective. In a perfect world having one or a few trusted entities that enables token login is a superior authentification method for this kind of website when it comes to a balance of convenience and security. That being said, I got quite a bunch of security minded nerds in my dnd circle and they scoff at dndbeyond because of the forced Google/Twitch login. If a healthy internet is somewhat important for you than this is a really exemplary hill to die on.
Last but not least, I much prefer Google authentification over the forced Twitch accoun we had until now, so thanks for this addition & keep up the great work! The proof will be in the pudding and so far the great things always outweighted the bad things.
I want to echo what everyone said about password management being hard. Passwords need to be hashed so if a security breach happens an attacker can't easily work out everyone's passwords. Hardware gets better every year, so you also need to adjust the strength of your password hashing over time to compensate, which means you need to have a strategy for transitioning the older passwords that were hashed at a lower strength. Ideally any service provider will offer two-factor authentication, but that also requires effort on the developer side. Database backups will have passwords in them too, which adds to the risk.
Most people will happily give the same password to hundreds of websites, and it only takes one security breach on any of them for their online life to be taken over. It makes a lot of sense to offload the problem of authenticating you to a trusted third party that offers two-factor authentication so even if someone finds out your password, they still can't take over your account. And when you do have to give out a password, use a password manager to generate a unique password for each site.
I mean it's only just been declared a standard, so adoption is in its early days and likely going to be slow.
And I'm sure it's nothing personal that they don't answer your very specific question, a lot of questions get directed at them on a daily basis.