Just like apps and websites implement “Sign in with Apple” and Google couldn’t we build some kind of federated authentication provider? Then everyone creates an account there and fedi apps can implement an easy way to authenticate users. Even non fedi apps could use it. I imagine user interaction between different fediverse platforms would be much easier too.
I guess could run an auth instance. Ideally everyone would run their own, keeping your data safe.
Is there something likes this already? Saw some discussion here but not much else https://socialhub.activitypub.rocks/t/single-sign-on-for-fediverse/712
@tomatol If Nomadic identities get implemented then yes, I’ve heard there were somepeople working towards it but haven’t heard much since.
Still, not sure I’d be to comfortable using a Fediverse server (especially one not hosted by me) for my identity. I’ve already lost an account to a SQL database dying, and some swaths of the fediverae are rather quick to ban or defederate.
Nostr and AT do it pretty well, though, using a key pair you control to sign into other services using your account. If something were attempted on the Fediverse this would probably be the best way to go about it.
Since I’ve moved to a password manager I find these social logins less useful. Personal opinion.
Also doesn’t this comes against the decentralization principles of the fediverse?
I imagine the auth provider could be decentralised too
I have a hard time wrapping my head around this one. If you “federate” authentication, wouldn’t that just open it up to bad actors?
Well right now Pixelfed has a sign in with mastodon button for example. Admittedly, I don’t know the details but I don’t think anything is stopping me from running my own mastodon instance just to sign up for Pixelfed.
I agree it might be a nightmare to manage tho if everyone has their own instance but that would probably not be the case.
I agree but I also thought this could solve things like mentioning a user across platforms for example.
That is basically OpenID which has been around for a long time. In principle there is nothing stopping fediverse instances from being OpenID providers or allowing login with an OpenID, not sure anyone has done this yet though.
Here’s the answer.
Yes and no.
Decentralized IDs exist, but will almost never be accepted by any large reputable institution.
Why trust every indie site to be 100% truthful, and definitely not full of malicious haXXors?
Just like fediverse works you can federate with the auth providers you want and ban malicious ones.
Lots of lemmy instances chose not to federate with others. I imagine it could work the same way.
Before an instance does something malicious, how do you know it will be malicious?
Even if everyone there running it, & participating is pure of heart, how can you be assured that haXXors won’t simply break in to take advantage of that trust you’ve given them?
Banning bad instances is a reactive stance that only applies after damage has been done. Can you convince the corporate overlords to take that risk? And it only increases as the fediverse gets more popular, and more instances get trusted.
No please. Use a password manager with randomly generated usernames when possible.
Nah mate, I don’t think I want to trust some rando identity server with my login, and self hosting just makes them easy targets.
That most likely won’t happen in the Fediverse, unless every developer agrees on some common protocol. But it is possible. See the Nostr protocol and DIDs.
Looks pretty cool!
please correct me if i’m wrong on this. lots of people here saying that it’s not practical because we would have to trust tiny instances that may be malicious. however, what if we make user’s identity provable to anyone, simply by the use of logic? suppose we have a way of generating random proof-theorem pairs (for example, the theorems could be something like “the largest proper factor of n is greater than some m, where m and n are some huuuuuge numbers and n is semiprime”, the proofs could be constructive). we let the identity be the theorem and the password be the proof. hence, anyone is able to verify the indentity by the use of a theorem prover like Agda
Congrats you just invented passkeys
why can’t we use passkeys instead of passwords though? is it just a matter of convenience? if so, maybe there is a way to determine a passkey from a password?
We can, passkeys are being adopted all over the web. If you specifically mean for Lemmy or fediverse services, it’s probably just a matter of adding support. It isn’t hard, per se, but it is important to get it right.
You can store passkeys in a password manager like BitWarden and they become portable. Then it doesn’t matter if you have a centralized authentication server. You just get logged in with your passkey, supplied by your password manager.
As others have mentioned in the comments, this might not really work because websites/services would have to trust a bunch of tiny, maybe even single-user instances.
I can see a world where sign-in with Fediverse is possible, but only for a select few instances such as .world, .ml, .ee, and a few other highly-moderated servers.
I think you’re right. This might be the biggest problem but it doesn’t seem impossible to solve.
I believe it’s actually possible to sign in with mastodon on Pixelfed. Wouldn’t that work for a single user mastodon instance too?
I believe it’s actually possible to sign in with mastodon on Pixelfed. Wouldn’t that work for a single user mastodon instance too?
You’re right. I’m not sure if it works with single-user instances, but I believe it does. This is the sort of thing that is technically possible — I believe ActivityPods aims to do something about it, too — but I don’t know… I guess federation can be a bit of a safeguard for this, like having a list of flagged instances that don’t allow account creation; requiring certain thresholds of account age or activity to be passed; stuff like that. There’s also the fact that, being social media, no instance wants bots to run wild, so that could, itself, be a check on that sort of thing, and it might not be economically viable to just host an instance strictly for bot-login purposes, so that is just an inherent barrier to wrongdoing.
Meh, maybe it’s more feasible than not.
That looks interesting too, thanks!
Id rather just sign in with my gpg key
