I've been coding as a hobbyist for about eight years, but I only started dabbling in web development a year ago. For user authentication, I typically use a UUID linked to an email, which lets users recover their account if they lose their key. I also connect IP addresses to the UUID, so if there's a sign-in from an unusual location, I ask for email verification. I don't use passwords at all. I have rate limits and CAPTCHA in place for any endpoints that might be exposed to brute force attacks. Is this a solid approach, or are there improvements I should consider?
4 Answers
Relying solely on UUIDs and emails is okay for low-risk applications, but it’s not as strong as traditional authentication methods. Have you thought about using magic links or even OAuth? They would allow you to avoid passwords while still providing better security overall.
Your method is essentially passwordless authentication, which is a real thing—think magic links and passkeys. The UUID concept is decent, but you need to think about session management. How do you revoke a UUID if it gets leaked? Once issued, it should be easy to invalidate without forcing a complete re-auth for every session. Linking IP addresses can be tricky too, especially with mobile users who might change IPs frequently, leading to unnecessary verification requests. Consider using device fingerprinting alongside a known-device list for better accuracy. Also, if you want a robust solution without building everything from scratch, check out services like Auth.js, Clerk, or Lucia. They handle various edge cases effectively, and Clerk has a great free tier for what you need!
Totally agree! Expecting users to have a stable IP is problematic, especially with how mobile networks work nowadays.
You make a good point about session management. I'll definitely look into fingerprinting and talk a bit more seriously about using established libraries.
The UUID approach is innovative and simplifies user experience by removing password resets. That said, completely skipping passwords is a risk; if someone gets a UUID through phishing, they’re in, with nothing stopping them. Rate limiting and CAPTCHA are good but don’t fully safeguard against that. Also, consider that linking IPs can generate false alarms due to VPNs and mobile networks. Adding bcrypt hashing to your current system could offer an additional layer of protection without overhauling everything. What’s the app for? Depending on the sensitivity of the data, you might need stricter measures.
If your app isn’t live yet and you’re not collecting personal data, then it’s not crucial at this stage. However, if you want to be proactive about security practices, I recommend checking out the OWASP cheat sheet on authentication. It'll give you a solid foundation to work from.
Thanks! I went for passwordless because I thought it would save time, but I'm definitely up for exploring third-party auth options to streamline things.
Yeah, I'm leaning towards trying out Clerk now!