Users still can't add a local password without using reset

[Colonel_mortis]

In 4.3 (I think), you added support for LOGIN_REAUTHENTICATE, which you use to verify a user's authenticity when changing their email or 2FA credentials. This means that the ability to authenticate by a method supported by LOGIN_REAUTHENTICATE is sufficient to add a local password anyway, as you can change the email then reset the password. LOGIN_REAUTHENTICATE supports reauthentication using social login methods such as Facebook.

However, there is still no UI support for adding a local password if you currently only have social logins enabled, so you have to go through the password reset process. This is poor UX, and is not at all clear to users who are trying to add a local password (there is no message that they should do this).

As there is negligible security benefit of the current system, I think it would make sense to allow users to add local passwords in the same way as users can change their existing passwords, but allowing them to authenticate using a social login to gain access to the new password form.

[bfarber]

Let me ask you a question just so we can paint a complete picture - why do your users need to or want to add a "local password"? Typically if I visit websitex.com and log in with Facebook, I never worry about setting a local password, I just use Facebook login from that point forward.

[opentype]

Well, I might want to drop my Facebook login method – e.g. in the light of all the recent privacy and hacking issues. 

[Colonel_mortis]

13 minutes ago, bfarber said:

Let me ask you a question just so we can paint a complete picture - why do your users need to or want to add a "local password"? Typically if I visit websitex.com and log in with Facebook, I never worry about setting a local password, I just use Facebook login from that point forward.

There are a few reasons that spring to mind:

• They want to be able to log into a device that they're not signed into Facebook on, or a device where Facebook is blocked (school, work)
• Privacy - if they signed up with facebook, but no longer wish to grant other sites access to their Facebook data (which includes their real name), they would want to switch to local login (since switching to Google/Microsoft/etc would shift but not solve the issue)
• They want to delete their Facebook/... account
• Security - at least to me, I would rather not need to place extra trust in a third party service (and rely on it having been connected correctly) as well as the existing trust that I need to have for the site itself. While I am sure that there is no risk, I still don't permit anything other than local passwords for ACP login.
• Redundancy - third party logins have failed in the past (usually due to problems on my end, but that doesn't actually matter), so having a way of logging in when that happens is useful (they can use the reset password link, but that is not communicated to users).

Personally, I try to keep everything isolated to one site, so I very rarely use social login options. That way, no matter what happens to Facebook, my account on websiteX will be safe, and no matter what happens on websiteX, my account and data on Facebook will be safe.

[bfarber]

The picture you are painting, to me at least, is that knowledgeable users who kind of understand the ins and outs of using a social login when a site also supports a local login want to be able to set a local password for various reasons. These sorts of users who are thinking about this sort of thing, however, seem like the type that would try a "lost password" attempt in such a scenario.

(Not speaking as to the suggestion itself, I'm just trying like I said to get a complete picture to make sure any changes we make are logical but also solve the underlying concerns)

[Colonel_mortis]

2 minutes ago, bfarber said:

The picture you are painting, to me at least, is that knowledgeable users who kind of understand the ins and outs of using a social login when a site also supports a local login want to be able to set a local password for various reasons. These sorts of users who are thinking about this sort of thing, however, seem like the type that would try a "lost password" attempt in such a scenario.

(Not speaking as to the suggestion itself, I'm just trying like I said to get a complete picture to make sure any changes we make are logical but also solve the underlying concerns)

And yet I still see people asking how they can add a local password. Using "forgot your password" when you never had a password is not intuitive enough for all of my relatively technical users (I of course don't have figures for how many people figured it out on their own, and how many people looked at their account settings, couldn't see a way to add a local password, and gave up).