Kirill, regarding oauth2 warnings from [Eran Hammer](http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/), I had a chance to sit down with Eran in 2014 and pick his brain a little further. My biggest takeaway from that is him saying something like, "The thing with security software is smart doesn't cut it. You have to have experience." When writing security libraries for hapi, he had budget to consult security experts. They caught a lot of little holes. Don't try to cobble your own stuff unless you have solid experience--yours or someone else's--at your disposal.

It sounds like oauth2 was ruined committee, but it still sees a ton of use by big companies. I found this [this Stackexchange comment](https://security.stackexchange.com/questions/133065/why-is-it-a-bad-idea-to-use-plain-oauth2-for-authentication/133073#133073) helpful in understanding the misuse of oauth2.

I would love to see some sort of SSO for checkvist, but only if it's secure. See my 2FA request.

With OAuth you have to support each authentication provider separatly, with OpenID, one implementation supports all priveders at once.

Personally, I use OpenID, and love sites, that supports it. Google/Facebook OAuth is miportand, but OpenID will not hurth also. I never use Facebook OAuth, because most sites abuse it for social marketing.

Here are some examples that support both:

https://stackoverflow.com/users/login
https://bitbucket.org/account/signin/

I am really insupport of this. I use Gmail and would love to use that login.

Vladimir, thanks a lot for your thoughts - very refreshing.

Would be glad to hear your comments regarding recent article from OAuth author, where he blames current OAuth2 specification:

http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

Kind regards,
KIR

As someone who was investigated/implemented community logins for a client, I have to say the following:

1. Community logins are in fact VERY useful to increase sign-up rate. 3x time for my client comparing to email/password
2. OpenID lost its traction due to (my opinion) incomplete functionality in the getting user information area (for instance, there are at least two extensions to get full name and email, and neither work reliably). Microsoft for instance dropped their OpenID service.
3. The winner is apparently OAuth. While in its default implementation it cannot provide user information, every provider offers a protected resource (URL) that gives the information to the caller. Downside is that every provider has a different URL and different format of user data on that URL, but it compensates by the sheer number of providers: Google, Live!, Yahoo!, Facebook, LinkedIn, ... first few probably cover some 99% of Internet users.
4. There is a concern that users would get confused what identity they had used with the service before. Practice shows that it is not a case: regular users have one primary account (e.g. Google or Facebook) and use it everywhere. Tech-savvy users who have multiple accounts do remember which one they use where (or re-login).
5. Another concern is the external provided availability. Well, the availability of Google or Facebook is at 5 9's, I believe. Would be hard to expect any influence to availability of Checkvist.
6. Re: external services such as RPXNow. Doesn't worth it anymore. OAuth libraries are plenty and matured. RPXNow provides some other services, such as "social analytic", but it may be of lesser value for Checkvist.

Yes, use http://rpxnow.com