Logon - Question & Enhancement Suggestion

Frank Allen's Avatar

Frank Allen

02 May, 2018 06:41 PM

I looked at doing a sign-in but couldn't find any good documentation. The
main screen shows login via Google, Facebook, Yahooo, or Microsoft. I
started one of these and read the detail terms of service which said they
couldn't guarantee that the third party (CalTopo) wouldn't misuse the data
shared via the joint login. Given all the issues in social media today, I'm
uncomfortable with that. I suspect others have the same perspective. Many
advocates of online security warn against sharing logons. (Yes, I understand
if each company behaves, there's no problem; but we've seen too many case of
inadvertent issues and leaks creeping in.)

Question - can you confirm there is no option for an independent CalTopo
logon?

Enhancement Suggestion - this may be a low priority for your user base, but
you might add an independent logon to your list of ideas. There may have
many potential new users who are abandoning pursuing CalTopo once they see
they have to link to another account where they have sensitive data stored.

- Frank

  1. Support Staff 1 Posted by matt on 03 May, 2018 06:04 PM

    matt's Avatar

    There is no direct username / password option; I may add it at some point, but properly handling password recovery, failed attempt timeouts and other issues is hard to, if you want to do it well.

    I understand the concern, but:

    • OpenID Connect (the process used to sign in to CalTopo) is different than sharing a login. I redirect you to Google (or whoever), they validate who you are, and then pass you back to me with information affirming your identity. I never see / touch your password, since you enter it directly on a Google page, and not on my site. This is actually considered the most secure way of handling logins, since Google is going to be far better at securing your password than I am, and it reduces the temptation to reuse passwords between sites, which allows someone to steal your password from a poorly-secured site and then use it to log in to a better-secured one.

    • The major login providers could certainly improve the way this is communicated, but when you click the "sign in through XX" button, they show you a list of permissions the site is asking for. It's possible to write an app that accesses a user's full Facebook profile or gmail contacts, but those sites ask you first (something like "caltopo wants to: see your address book". All I ask for is your email address, so that I know who the account belongs to; using the "sign in through XX" button does not give me access to any other account information.

  2. 2 Posted by Frank Allen on 03 May, 2018 06:48 PM

    Frank Allen's Avatar

    Thanks for the prompt response – that’s helpful.

  3. matt closed this discussion on 04 May, 2018 09:35 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac