Tailscale has raised $160M

Still can't wrap my head around that TS does not allow to signup with your custom email/password combination but forces you to use bigtech (GitHub, Apple, Meta etc.) to login. Running your custom OIDC provider as a small, private person does not make any sense either.

I think that's quite smart, and OIDC is an open standard at least.

Securing usernames/passwords and handling second factors etc; is already done so well and it's hard to do.

Having a clear 'this is where we can be secure' stances is what makes me want to trust them more.

Why is that smart? I signed up for a Microsoft Account with my email and I can use Microsoft Account to log in to Tail scale but I can't use the email directly? How does the middle man bring anything to the table?

Because then tailscale doesn’t store a username and password for you, so unless microsoft is hacked you won’t be- theoretically.

but at the same time, now Microsoft knows you are using Tailscale (and they use this data in their tracking + analytics). And all the other products. They get a very good insight of your online habbit, because they have a list of all other products and apps you use where you sign in with your microsoft account. And due to the way token refresh works, they even have a good idea how frequently you use each individual one.

And if you for whatever reason get locked out of your microsoft account (and I say this as someone who had this happen with a Google account) your are basically locked out of your online life.

I own my own domain for my email address (xxxx@mydomain.com). As long as I can set the MX record of that domain freely, I can always restore access to my email adress no matter what any email provider decides to do or block me for.

sure, then spin up a keycloak.

Its not hard.

If you don’t feel comfortable doing so: maybe that is telling.

What are you on about. For years logging in with email was possible even on the most amateurish projects. Now that's not possible for tailscale? Why

Because they don't want your password and as a security company, I applaud that.

Account issues, recovery, support that can be manipulated, a single breach or bad password that grants access to their admin interfaces, implementing their own 2FA.

And, serious people want SSO anyway, and most people have some kind of authentication they can lean on.

You can make a stodgy password login if you want, or you can run a keycloak yourself.

If you don't want to run an OIDC provider for yourself, why would you want them to?

Genuinely I applaud the idea that they're SSO first, and have as little information as possible to handle things. If you don't like it; well, run your own, run headscale - or, use wireguard another way.

Not every company needs their own login system. I fucking hate it.

Microsoft was hacked before and I don't trust them but I trust the email provider at the company I work for now what