Comment by crawshaw
2 months ago
[exe.dev co-founder here] Hi. Re: oauth2, the last product I built, Tailscale, only did auth by oauth2. I chose this because 1. businesses need it anyway, and 2. passwords are terrible.
But it was a choice that does not come for free. I dread a page of buttons for third-party services, and the control I give them over my life. I hate that I never know if I should log in with GitHub, or Google, and for a dozen services I have multiple accounts because I got lost in the miasma of oauth2.
Still, it was better than passwords!
But since the last product I built, the world has changed. We have passkeys now. Which are superior in every way for individuals using a third-party service. You get better UX. You get better privacy. It is a fundamentally better technology.
I did not list SSO under teams because I want to "tax" people. I did it because SSO only makes sense for businesses, where an administrator controls accounts, and can delete yours when necessary. There, oauth2 is the best technology we have. But for individuals, it is a dead technology. I am reluctant to make everyone's exe.dev experience worse for legacy tech.
"We" don't have passkeys now. Many functional android devices are not being upgraded to the latest Android versions, and simply will never get true passkey support that isn't locked away inside of Google's vault.
Passwords are much better than the OAuth2 coolaid, and passwords will still be better as long as older devices can't support passkeys due to arbitrary restrictions.
Appreciate you not following Tailscale's authentication many SSO provider approach. It makes sense for teams/business, (Tailscale's customers) but creates some confusion and extra friction for casual homelab users like me. I have a note in 1Password for tailscale.com just titled "USE GITHUB AUTH".
Passkeys work great for me and I greatly prefer them. Exe.dev I think is the first service I've seen that's so passkey centric and it makes a lot of sense.
I don't see how Oauth2 is a legacy technology. It will never be until all of the problems of passkeys are solved. And I very much wouldn't just dismiss oauth2 as something only businesses have, because Oauth2 does have its uses where it can convey information a passkey cannot.
Great answer, thanks for following up with your reasoning.