IllustratorsLeak
Allbadcards
Allbadcards

patreon


Account Login Changes

Hey all!

We have just deployed an update to All Bad Cards which adds Google and Facebook login options. 

This change was made because Patreon's documentation say that Patreon is not meant to be used for login purposes. As such, we will eventually phase out the Patreon login option in favor of other options. For now, though, you can still log in via Patreon.


Here's what you need to know:


More things...


If you have any questions, feel free to post as comments, or message via Patreon! Thanks everybody!

Comments

I believe if you pledge, then cancel, you can repledge without paying more if you are within the original payment period. I can't actually control how this works since it's all within Patreon, but I believe that is the case.

Jake

Sorry to jump on an old thread - I just wanted to know how to re-join as I just did the same as MarineOnTheCeiling as I only need the full version for this month?

Monica Istvan

Yeah, that's why. Unfortunately, Patreon doesn't send backer status in their API if you cancel, so there's no way to know if you're a backer on our end unless you re-join :/ it doesn't charge you twice to rejoin though!

Jake

Hey, since this change I can't see any of the packs? I pledged for a year and then cancelled my pledge (payment went through), could that be why?

MarineOnTheCeiling

Hello! No, your packs have not been deleted. My guess is that you need to ensure that you have linked your Patreon account. Please send a private message if you continue to have problems and I can help more!

Jake

Hi Jake, I was a contributor in Dec & Jan. Now after logging in in Feb, I see that my Card Packs that were saved have disappeared. I was under the impression that they were free to keep saved? Have they been deleted as I did not renew my Patreon for Feb? Thanks

J. Rhys Davies

As someone who works in this type of work, good call. It's an improvement for user security for sure.

Jackie

Kimberly, Patreon stores financial information, not All Bad Cards. They are a different website, and do operate as a yearly subscription (so that it does renew after a year). You are welcome to cancel if you prefer! As I stated, you will not be forced to use Google or Facebook login.

Jake

I would hope you provide an option where financial info is not stored. When I purchased a batch of cards, I did the one year purchase. So I am hoping that was a one time purchase that does not renew in a year and therefore you are not storing my personal info so there is no security issue. Not sure how all the other websites do things but I will not nor have I ever had to use a Facebook or goggle login for security. I always just use my email and a password. For my bank, investment accounts, the most secure things possible. I’m sure there is an answer, just trying to make it clear that having those two options as your only options is a deal breaker.

Kimberly

Hi, Firstly, this is purely an added option for now, as part of a gradual change toward alternative options. There's no indication here that Google and Facebook will be the only available login options, they were just added first because they are just the most popular, and therefore cover the largest userbase. At some point, Patreon login may not be a reasonable option, so it makes sense to move away from it. This is all in the name of user security, because Patreon recommends against using their system for login. I'm assuming Patreon login is what you meant regarding "taking away the option to log in with just email". As much as you may dislike Google or Facebook, they do support this feature and are likely more secure than Patreon, which I did not realize was not meant to be used this way when I created it. Secondly, the reason username and password are potentially security problems are not because this website is "NASA" - the issue arises because, in the unlikely event of a security problem, user details can be used for nefarious purposes to target the users' other accounts. If a hacker somehow managed to decrypt the passwords of the users database, and those users do not have secure passwords, their livelihoods are now at risk through their bank accounts, or any other sensitive information they've stored online. I've taken great care in my data structures and code practices to protect the privacy and security of the users by avoiding storing sensitive information and every decision must be treated with the same care. That is not to say that we will not provide such a system, just that providing one requires care and attention and time, and I code this website by myself in my spare time, and I don't want to be the cause of a security issue for my users. Many people do not share the concerns of those who avoid Facebook and Google, as evidenced by the relative lack of poor feedback regarding their addition as login options. That said, obviously there is a group of folks who certainly will never use them, and we will provide an option for those people that is not one of those.

Jake

You must be joking. Facebook and Google are literally the devil. There is zero chance I will ever use either to log in. So are you telling me I just wasted my money buying a membership? There is nothing wrong with just using your email and a password. This isn’t NASA. It’s a card game. Do NOT take away the option to just log in with your Email. I know very few people who will use Facebook or Google ever again.

Kimberly

I will continue to look into options! As it stands, the option to log in with Patreon still exists, and my efforts are focused on both security and feasibility (as I am the only dedicated developer). I see your point about the single point of failure. It also is true that the companies I've chosen, with the exception of Patreon, are leaders in security and are highly motivated to stay that way. I will keep looking at options to see what makes sense for us :)

Jake

Consumer single sign-on providers create a single point of failure for any number of sites a consumer has connected to their single identity. Consider Facebook's massive breach in 2018 where 50 million user accounts (and possibly tens of millions more) were able to be infiltrated by hackers. That hack provided access to not only an individual user's Facebook account but also any other service they had connected with Facebook's SSO. It would be a bad practice to think it could never happen again. Considering power users or those who care about individual privacy (those who are more likely to be the ones subscribing and setting up games for their social groups): the problem with SSO providers is they typically expose the email address of the Google or Facebook account they're connecting. That's not always ideal or desired, particularly for users who may use email accounts for different or specific purposes. Typical users — on average — also have a bad tendency to use accounts they shouldn't when faced with SSO. Professionally, I've seen companies who use G Suite and provide their employees with email accounts for work use. That's sometimes the only Google account that user has access to, so when they're faced with a consumer app or service that requires or offers Google SSO, more often than not, they're going to take the easy route and just use their work account where they shouldn't. That could lead to their email eventually getting leaked at some point. It happens. [premature submit; cont'd:] As you said, "Even large companies get hacked constantly," and Google and Facebook users are frequently exposed to phishing attempts. Their use of SSO is a liability on two ends: It provides the site operator an email the user may not want to or should provide, and it provides hackers a variety of additional sites they can possibly extract user data from by abusing that hacked user's SSO. A site providing a user and password option helps protect users by disconnecting unrelated sites from ever talking to each other. I can also say with certainty that a not-insignicant number of users I've created games for do not use either Google or Facebook... So that could be a barrier. With continued use, those who aren't already Patreon subscribers may want to be in the future. P.S. By the way, I do really enjoy AB.C, and think you've done a fantastic job with it. I do understand your desire to not wade into providing user accounts, but it would exclude a meaningful subset of power users and those who do not have accounts with the limited number of providers you're offering connectivity with. If you have less than 7,000 Patreon users, you could probably use the free-tier auth0+passport (or auth0+express-openid-connect)? Maybe passport+passport-local or passport+passport-local-mongoose (if that's your backend). Just thoughts

Agent Bleu

Can I ask why? It's far more secure to use a third party than a direct login option. We are very unlikely to offer a direct option for this reason. Managing passwords directly provides a much greater surface area for hackers and exposes users to risk for all their other accounts. Even large companies get hacked constantly, even with much more resources than we have. That said, I'll keep my eye out for other authentication options if users have opposition to Google and Facebook. Now that I've done the work for these two options, it is much easier to add others.

Jake

Will there be a direct allbad.cards login option? There is absolutely no way I (and I'm sure many others) will be willing to connect using Google/Facebook

Agent Bleu


More Creators