16 votesBrad Olson supported this idea ·
57 votesBrad Olson commented
Kirill, regarding oauth2 warnings from [Eran Hammer](http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/), I had a chance to sit down with Eran in 2014 and pick his brain a little further. My biggest takeaway from that is him saying something like, "The thing with security software is smart doesn't cut it. You have to have experience." When writing security libraries for hapi, he had budget to consult security experts. They caught a lot of little holes. Don't try to cobble your own stuff unless you have solid experience--yours or someone else's--at your disposal.
It sounds like oauth2 was ruined committee, but it still sees a ton of use by big companies. I found this [this Stackexchange comment](https://security.stackexchange.com/questions/133065/why-is-it-a-bad-idea-to-use-plain-oauth2-for-authentication/133073#133073) helpful in understanding the misuse of oauth2.
I would love to see some sort of SSO for checkvist, but only if it's secure. See my 2FA request.