This recently happened to me on Booking.com and... I ended up not using Booking.com to book a hotel. So long, genius status, or whatever.
It absolutely drives me nuts that the western world is moving to "as seen in China" login-via-callback flow. Aside from the privacy issue of forcing people to attach an email or phone number or third-party auth provider to their every account, it's just a waste of time and energy to delete our passwords and force us through this weird multi-app flow just to log in to a service we spent years logging into without ever getting hacked. Imagine if every time you wanted to get into your house you had to press the doorbell and then wait for someone to call you back to decide whether you should be allowed in. It's absurd.
> "as seen in China" login-via-callback flow
What, exactly, does this mean?
But passkeys are the new hotness, not SSO, and what you’re describing is SSO. Passkeys aren’t tied to an outside account, just a password manager (which can be your browser - no account required).
Your parent comment may refer to requesting and waiting for a login link in, say, an email to authenticate - not SSO.
Oh, that makes sense.
When I lived in China a common way of "logging in" was to enter an OTP sent to your phone via SMS. By the time I left a few years back it seemed increasingly that signup and login flows were on the way out in favor of simply using your phone number anywhere and everywhere as a personal identifier and OTP or in-app notifications for authentication.
Added benefit of inheriting someone's account if they miss the phone number rent and you get the recycled number.
Thanks, I misread your first comment. That makes sense. Yeah, not a great system, especially because it turns phone numbers into semi-sensitive personal information that you also give out to every single person you ever meet.
This is especially true if you simply increase the minimum password length to a certain amount. The major browsers include password managers for specifically this purpose which can generate passwords; why don't we move towards educating users how to use these tools instead of centralizing all the failure points of the web?
And yes, I understand the major conflict of interest in saving important passwords to Google, which I personally don't do and wouldn't recommend, but I think if they're interested in staying out of the Googleverse, we can also tell people about the good paid alternatives out there.
Paid vs Google seems a bit of a false dichotomy. Bitwarden and countless other such programs are completely free for normal usage. The freemium stuff comes in for business and uses far beyond just a password manager.
why don't we move towards educating users how to use these tools instead of centralizing all the failure points of the web
Because there are vested interests in doing the latter. That said, I don't trust password managers either.
> Imagine if every time you wanted to get into your house you had to press the doorbell and then wait for someone to call you back to decide whether you should be allowed in.
This is exactly what I do to visitors to my house.
What? You can auth to booking.com with a password just fine (I just did it this morning).
Many sites have "magic links" (they sent you a link to login via email instead of having to write a in password), but there's almost always a way to say you want to log in with your password. Sometimes, especially for touchier things, there's MFA.
> Aside from the privacy issue of forcing people to attach an email or phone number or third-party auth provider to their every account
How do you login without an email, phone number or delegating to a third party? You perform a secret magic dance? Especially for something such as booking.com which more likely than not has your bank details saved, and can wreak havoc (cancel your bookings), I'm really not sure what you want them to do.
I was surprised when it happened to me too, but it seems to be an anti-feature that has been rolling out for some time now[0]. The ability to use a password has vanished completely.
The thing that makes it particularly egregious is that Booking.com is literally designed to be used on the road, from any location anywhere, on any weird device you might have access to at the time. There's no guarantee that whatever janky airport wifi allows IMAP, or that your phone can receive SMS in whatever country you're in. Forcing 2FA - or now apparently just the "1FA" of magic link/OTP - has made the service useless for its primary purpose.
[0] https://old.reddit.com/r/Bookingcom/comments/1hl055b/cannot_...
> whatever janky airport wifi allows IMAP
Bold of you to even assume the current generation of a 'decision makers' do know what IMAP is.
[dead]
All bets are on Passkeys, but I'm sure a lot of people can't deal with them due to lack of sync across devices.
Passkeys are a great Trojan horse for password managers vs oauth, magic links, "password123" strings