Lightweight Authentication

Full disclosure, I work for a fully-fledged authentication solution (FusionAuth) and if your PoC succeeds, my guess is you'll look to make a move to a similar solution. But I understand your desire to go quick and dirty.

You didn't provide a ton of details (the programming language affects library options, for example) but I would go one of the following ways:

* login with a social provider like google, facebook or github. I don't know what your audience is, but hopefully you know which of these (or any other) would have the most uptake. This delegates the entire authentication process to a third party and allows the user to choose the level of security they want around their account without involving you at all.

* look for an OSS library in your language that offers magic token login. This is what you are describing when you talk about the token. Implement that. If you can find such a library, this will be a simpler solution.

> What is the better way to implement this? Should I stick to the plain old login-password combination?

I'm not your user and we don't have any idea what your userbase is. I'd ask them. Lots of tech folks want a username and password so they can use a password manager. Non-tech folks would probably prefer one of the two above options.

An excellent women's soccer publication, Equalizer Soccer [1], which seems to use Memberful, has the authentication system I want EVERY non-critical publisher/app to use-

1. enter email address

2. email me a signin link

3. i click the link

4. i am in, on whatever device i am using

There is no password and no needed coordination with my password management.

It is glorious.

1. https://equalizersoccer.com/

For PoC Firebase Authentication

https://firebase.google.com/docs/auth

You get hosted + UI + OAuth

There are many others:

https://supabase.com/docs/guides/auth/overview

https://www.keycloak.org/

https://www.permify.co/

...

..

Magic email links essentially transfer "managing logins, passwords, OAuth tokens, and their recovery" to the user's email provider.

Many auth providers support magic links. I recommend https://userfront.com/dashboard/authentication

https://github.com/ory

You should also be able to get a free tier at Auth0

https://passkeys.dev/

Hey, we've built exactly what you are describing: https://www.hanko.io

You can go with either self-hosted or cloud. Cloud is free for up to 100 users.

If you have any questions along the way: https://www.hanko.io/community

send an expiring unique nonce token to their email address. when testing period is over you could implement another solution.

Very happy with https://zitadel.com

It's open source but would be too much of a hassle to set up in your case, the cloud version you can integrate in a couple of minutes and has a generous free tier.

For a personal webapp accessed from a few devices I just keep a list of session IDs in the app's config file. The web framework generates the session id, it's derived from a cookie with no expiry.

There's a "/register" page that just has a mailto: link to email myself, with the session ID in the mailto email body parameter. Easy to copy-paste into the config file when setting up a new device.

This is probably less useful for external users (who want to log in extra devices themselves), but something similar might work.

Something I wish exist is a solution that truly use my own tables and support multi-tenant. So you only configure the connection string and some SQL templates and that is all.

On a similar subject, does anyone have recommendations for how to roll your own conventional auth stack without using 3rd-party providers?

Just use phone number and send a OTP code. User will understand it right away, and they usually have a phone in their hand most of the time.

Just use Django, it has all builtin