I would like to request a independent DDB members/account system, that will let us sign-in with an email address and password, rather than having to use a third party login system - (Twitch, Google, Apple) - and so on. Having an independent username/password sign-in system, and not having to rely on third parties, would drastically increase the security of DDB accounts, while at the same time, allowing those of us who do not want to have our personal details shared with monolithic mega corporations, to have an account and enjoy the benefits of DDB. For example; if Amazon experienced a data breach, that exposed email and password information to bad actors, there would be potential for the related DDB accounts to be use by trolls and the likes, to pollute the DDB community with their toxic behaviours. Causing damage not only to individuals and their personal DDB accounts, but also to the wider DDB community.
In relying exclusively upon third parties for sign-in/sign-up systems, you are creating a single point of failure that could have significant detriments to the DDB service.
Even beyond the security and privacy issues of using third partying authentication systems, there are people who do not have a Google, Twitch or Apple account. As a purely anecdotal example, most of my family and friends don't have account with any of the previously mentioned trio; and so can not enjoy DDB because to do so, they would have to create another account, with a company they do not want to be associated with, in order to do so. Furthermore, I have not been able to fully utilise DDB as a DM, because none of the players that I have had wanted to create an account with Google, Amazon, or Apple, in order to join DDB.
In relying exclusively upon third parties for sign-in/sign-up systems, you are forcing people to agree to the ToS, EULAs, Privacy and Security Policies, and practices (good or bad) of the companies providing such services to DDB; whether they want to, or not. Effectively leaving perspective members with only two choices. Agree to the afore mentioned, or refrain from creating a DDB account. I realise that this is only anecdotal, but my direct experience of this kind of resistance, has came from perhaps 50 people. If you expand that out, the numbers of potential customers who are turned away from DDB because they are forced to have a; Google, Amazon/Twitch or Apple account to use the DDB services, quickly adds up.
Having an independent DDB sign-in/sign-on system, that allows perspective members to create an account using an email and password combination; and which does not rely exclusively upon third party authentication systems, would open the door for many more people to sign-up and for everyone to enjoy DDB with better safety and increased confidence in their accounts security.
In short; it would be a win, in my opinion, for both DDB as a service and a company, and the current and prospective user base.
Regards,
Jay (Foxes)
Rollback Post to RevisionRollBack
A caffeinated nerd who has played TTRPGs or a number of years and is very much a fantasy adventure geek.
Using their own account system would actually decrease security. DDB doesn't want to be in the security business. By implementing their own name/password login they would then have a very high value database that they would need to protect, probably requiring a specialist or two to be hired.
By using someone else as the login provider that is one less thing that DDB needs to worry about and pay for.
DDB does offer Discord as a 4th login provider now which should expand the pool quite a bit for what people already have accounts for.
I want to address a few things you mention that aren't actually true:
Having an independent username/password sign-in system, and not having to rely on third parties, would drastically increase the security of DDB accounts
Having the DDB team develop their own authentication would be less secure, not more. Bigger companies such as Google/Amazon/Apple can dedicate much more time and resources to their authentication frameworks than DDB ever could. In fact, I wouldn't be surprised if their account authentication services division is bigger than Curse or even Fandom. They can offer more advanced authentication services than D&D Beyond ever could hope to, providing much more security.
while at the same time, allowing those of us who do not want to have our personal details shared with monolithic mega corporations, to have an account and enjoy the benefits of DDB
Remember that you can always make a new account with one of these services and provide little to no actual personal information. I have multiple google accounts for various roles (personal, professional, DM'ing) and the amount of information affiliated with them varies from pretty much all to basically none. This is always an option to the user.
For example; if Amazon experienced a data breach, that exposed email and password information to bad actors, there would be potential for the related DDB accounts to be use by trolls and the likes, to pollute the DDB community with their toxic behaviours. Causing damage not only to individuals and their personal DDB accounts, but also to the wider DDB community.
Firstly, and sadly, it would not take an Amazon data breach for bad actors and trolls to pollute any community, that is simply something that happens.
Secondly, if Amazon did have a data breach that'd be huge news and they'd fix it incredibly quickly. Data breaches are infinitely more common with small companies auth services (small companies like DDB) than they are for megacorps like Amazon and Google.
In relying exclusively upon third parties for sign-in/sign-up systems, you are creating a single point of failure that could have significant detriments to the DDB service.
It's actually the other way around; an internal auth service would be a single point of failure. Using external auth services, especially those that ask/require two-factor authentication, is multi-layer security. This way means if your amazon/google/apple account is compromised (username, password and 2FA device), you can protect your DDB account by unlinking it from the compromised service. This is quicker, easier, and safer than an email/password change on a compromised account.
Even beyond the security and privacy issues of using third partying authentication systems, there are people who do not have a Google, Twitch or Apple account. As a purely anecdotal example, most of my family and friends don't have account with any of the previously mentioned trio; and so can not enjoy DDB because to do so, they would have to create another account, with a company they do not want to be associated with, in order to do so. Furthermore, I have not been able to fully utilise DDB as a DM, because none of the players that I have had wanted to create an account with Google, Amazon, or Apple, in order to join DDB.
As mentioned above, it's possible to use these services for authentication purposes only and minimise your data exposure. If someone refuses to use one of those services, that's not a great justification for introducing a less secure authentication method.
In relying exclusively upon third parties for sign-in/sign-up systems, you are forcing people to agree to the ToS, EULAs, Privacy and Security Policies, and practices (good or bad) of the companies providing such services to DDB; whether they want to, or not. Effectively leaving perspective members with only two choices. Agree to the afore mentioned, or refrain from creating a DDB account.
I mean, this is also true of D&D Beyond itself; the site has terms of service that you must agree to before you can use the site, regardless of who you're authenticating your account with. And if you're making an account with google with little to no personal information solely for the purpose of accessing D&D Beyond, those terms of service become largely moot. They can't use your data if you don't provide any. They can't recind your kindle purchases if you don't make any.
Having an independent DDB sign-in/sign-on system, that allows perspective members to create an account using an email and password combination; and which does not rely exclusively upon third party authentication systems, would open the door for many more people to sign-up and for everyone to enjoy DDB with better safety and increased confidence in their accounts security.
In short; it would be a win, in my opinion, for both DDB as a service and a company, and the current and prospective user base.
Ultimately D&D Beyond would have to balance the user experience in this specific case versus the security they can provide and also the development time and costs. A dedicated, internal authentication system would require an ongoing team to maintain, detract resources from other areas and also, potentially, open D&D Beyond up to liability if said service failed. I'm pretty confident individuals with more knowledge on this particular matter have evaluated the risk/reward and found that benefits of using third party authentication services outweigh the detriments.
That being said, D&D Beyond is always looking to add more means to access and enjoy the site, having recently added apple authentication with potentially more authentication services down the line.
To DDB,
I would like to request a independent DDB members/account system, that will let us sign-in with an email address and password, rather than having to use a third party login system - (Twitch, Google, Apple) - and so on. Having an independent username/password sign-in system, and not having to rely on third parties, would drastically increase the security of DDB accounts, while at the same time, allowing those of us who do not want to have our personal details shared with monolithic mega corporations, to have an account and enjoy the benefits of DDB. For example; if Amazon experienced a data breach, that exposed email and password information to bad actors, there would be potential for the related DDB accounts to be use by trolls and the likes, to pollute the DDB community with their toxic behaviours. Causing damage not only to individuals and their personal DDB accounts, but also to the wider DDB community.
In relying exclusively upon third parties for sign-in/sign-up systems, you are creating a single point of failure that could have significant detriments to the DDB service.
Even beyond the security and privacy issues of using third partying authentication systems, there are people who do not have a Google, Twitch or Apple account. As a purely anecdotal example, most of my family and friends don't have account with any of the previously mentioned trio; and so can not enjoy DDB because to do so, they would have to create another account, with a company they do not want to be associated with, in order to do so. Furthermore, I have not been able to fully utilise DDB as a DM, because none of the players that I have had wanted to create an account with Google, Amazon, or Apple, in order to join DDB.
In relying exclusively upon third parties for sign-in/sign-up systems, you are forcing people to agree to the ToS, EULAs, Privacy and Security Policies, and practices (good or bad) of the companies providing such services to DDB; whether they want to, or not. Effectively leaving perspective members with only two choices. Agree to the afore mentioned, or refrain from creating a DDB account. I realise that this is only anecdotal, but my direct experience of this kind of resistance, has came from perhaps 50 people. If you expand that out, the numbers of potential customers who are turned away from DDB because they are forced to have a; Google, Amazon/Twitch or Apple account to use the DDB services, quickly adds up.
Having an independent DDB sign-in/sign-on system, that allows perspective members to create an account using an email and password combination; and which does not rely exclusively upon third party authentication systems, would open the door for many more people to sign-up and for everyone to enjoy DDB with better safety and increased confidence in their accounts security.
In short; it would be a win, in my opinion, for both DDB as a service and a company, and the current and prospective user base.
Regards,
Jay (Foxes)
A caffeinated nerd who has played TTRPGs or a number of years and is very much a fantasy adventure geek.
Using their own account system would actually decrease security. DDB doesn't want to be in the security business. By implementing their own name/password login they would then have a very high value database that they would need to protect, probably requiring a specialist or two to be hired.
By using someone else as the login provider that is one less thing that DDB needs to worry about and pay for.
DDB does offer Discord as a 4th login provider now which should expand the pool quite a bit for what people already have accounts for.
Site Info: Wizard's ToS | Fan Content Policy | Forum Rules | Physical Books | Content Not Working | Contact Support
How To: Homebrew Rules | Create Homebrew | Snippet Codes | Tool Tips (Custom) | Rollables (Generator)
My Homebrew: Races | Subclasses | Backgrounds | Feats | Spells | Magic Items
Other: Beyond20 | Page References | Other Guides | Entitlements | Dice Randomization | Images Fix | FAQ
I want to address a few things you mention that aren't actually true:
Having the DDB team develop their own authentication would be less secure, not more. Bigger companies such as Google/Amazon/Apple can dedicate much more time and resources to their authentication frameworks than DDB ever could. In fact, I wouldn't be surprised if their account authentication services division is bigger than Curse or even Fandom. They can offer more advanced authentication services than D&D Beyond ever could hope to, providing much more security.
Remember that you can always make a new account with one of these services and provide little to no actual personal information. I have multiple google accounts for various roles (personal, professional, DM'ing) and the amount of information affiliated with them varies from pretty much all to basically none. This is always an option to the user.
Firstly, and sadly, it would not take an Amazon data breach for bad actors and trolls to pollute any community, that is simply something that happens.
Secondly, if Amazon did have a data breach that'd be huge news and they'd fix it incredibly quickly. Data breaches are infinitely more common with small companies auth services (small companies like DDB) than they are for megacorps like Amazon and Google.
It's actually the other way around; an internal auth service would be a single point of failure. Using external auth services, especially those that ask/require two-factor authentication, is multi-layer security. This way means if your amazon/google/apple account is compromised (username, password and 2FA device), you can protect your DDB account by unlinking it from the compromised service. This is quicker, easier, and safer than an email/password change on a compromised account.
As mentioned above, it's possible to use these services for authentication purposes only and minimise your data exposure. If someone refuses to use one of those services, that's not a great justification for introducing a less secure authentication method.
I mean, this is also true of D&D Beyond itself; the site has terms of service that you must agree to before you can use the site, regardless of who you're authenticating your account with. And if you're making an account with google with little to no personal information solely for the purpose of accessing D&D Beyond, those terms of service become largely moot. They can't use your data if you don't provide any. They can't recind your kindle purchases if you don't make any.
Ultimately D&D Beyond would have to balance the user experience in this specific case versus the security they can provide and also the development time and costs. A dedicated, internal authentication system would require an ongoing team to maintain, detract resources from other areas and also, potentially, open D&D Beyond up to liability if said service failed. I'm pretty confident individuals with more knowledge on this particular matter have evaluated the risk/reward and found that benefits of using third party authentication services outweigh the detriments.
That being said, D&D Beyond is always looking to add more means to access and enjoy the site, having recently added apple authentication with potentially more authentication services down the line.
Find my D&D Beyond articles here