The prior context for this discussion: https://help.railway.app/feedback/request-tell-us-about-your-nits-on-the-a3c5878e#p-119

What I would add to that is that it seems like somewhat of a cop-out to say "we don't want to store password hashes, so rather than ensuring our system is secure enough to do so, we'll pass the inconvenience on to the user". In terms of risk profile, I'm not entirely convinced that irreversible password hashes are a more valuable target for hackers than free compute and payment information. That is just my point of view, though - I obviously don't get to choose what your development decisions will be.

What I will say is that if this continues to be an issue, it significantly increases the likelihood that I'll move both my business and personal projects to another platform - since none of Railway's competitors have the same problem, and this login thing is a significant operational headache.

Also, I mentioned this in the old forum, but the company you're using for authentication - https://magic.link/ - is all in on cryptocurrency. Which doesn't specifically imply anything bad about Railway, but... it's not a great look.

Hey there Raxod,

It's totally not our goal to pass on inconvenience and headache to the user, and I can totally understand how this is the case. If I had to guess, I am sure that you have personal projects under a "gmail" and a Google Workspace account for your business projects. I would to love to know what your ideal set-up is so that we can solution around it.

We have been pretty tight with the whole 1:1 GitHub to Railway account link and the team's been open to relaxing this insofar we can ensure that we won't get an influx of spam accounts trying to circumvent our anti-spam measures.

Btw- we have dedicated the amount of resources we have home-rolling our own support/forum system is so that you have an easier time influencing our development decisions. Please do yell at us, me now knowing that this would get you to move off platform is changing my position a bit, but keep in mind, it's not as easy as "add password"- and has significant implications to the security posture to the companies on the platform. If we were to do it- I would just wanna know if it would be worth it.

Re: Magic, that's our view as well and as such we are going to be adding one additional SSO provider and are going through the build vs. buy discussion when it comes to our IdP solution.

Hello, I am not a security researcher, please educate me if I'm wrong: How is password with strength constraints + a mandatory second factor (at least OTP, preferably also a choice of hardware security key) "inherently insecure", as per the previous thread? Or did you think the request was for non-2FA-secured login? Of course not. Multifactor authentication is always required in 2024. I didn't think that would even have to be specified. That's the request I was making in the original thread way back when. Strong password requirement and a second factor.

If the argument is for "security reasons", how is sending a link to an email more secure than MFA? You can't control how people protect their email. But you can require strong passwords and multiple factors. I truly don't understand the "more secure" aspect of it. Using email as the second factor AFTER password, that I can understand. But if sending an email is your only protection, isn't that equivalent to just having an uncontrolled password (the one for your email inbox) without a second factor?

Btw the last time I had to log in to Railway the passwordless email wouldn't work whatsoever. Gave up after 20 tries of not receiving a single email and logged in another way - I think. I don't remember exactly, I may have returned after several hours to find it working again. Needless to say this "magic link" service gained a very bad name for itself that day.

You aren't wrong- and I interpreted your ask as what you mentioned: "Strong password requirement and a second factor." However, given the list of work we have to do around identity, for me, I would need a strong argument that the above is blocking business. With what you posted below ->

> the last time I had to log in to Railway the passwordless email wouldn't work whatsoever

Yep- that needs to be fixed. If the experience is bad, you'd want to default to the old system entirely. Whenever someone requests a feature at least for me, the biggest thing I care about is the root cause of the request and to me, it feels less like "need password" and more like: "your login experience is obtuse".

Not ruling passwords out but I think if we can offer Google SSO and fix the email flow that would get us 80 percent of the way there to buy some time on implementing proper auth.

Personally, I don't want to be in the IdP game.

If I had to guess, I am sure that you have personal projects under a "gmail" and a Google Workspace account for your business projects. I would to love to know what your ideal set-up is so that we can solution around it.

I don't use any Google products, so I have my email hosted with Fastmail, and both accounts are under my own domains - radon@intuitiveexplanations.com and ops@radian.codes to be specific - but yes. My ideal setup is what I have - separate accounts. This is standard practice; personal and business assets are always kept strictly separate for legal and tax reasons. The only issue is I have to jump through the email link hoops every time I log in to Railway (or any time I want to switch accounts).

I am potentially open to using SSO, but I do not trust either Google or GitHub (i.e. Microsoft) anywhere nearly enough to tie authentication for other accounts to those companies. It would have to be something else.

For what it's worth, I came back to this since I recently started to do business with Tailscale, which has the same "no passwords" policy as Railway. In their case, however, they let you bring your own OIDC provider, with the documentation available here: https://tailscale.com/kb/1240/sso-custom-oidc. I decided that seemed reasonable and set up an Authentik instance for myself at https://auth.intuitiveexplanations.com/. With that configured, I was easily able to create an account on Tailscale, and if Railway likewise had support for custom OIDC providers, I would switch over to that and have no material issue with the lack of password login support.

Today I've just had to log in and found that apparently now it's required to receive two emails to log in to my account (on top of the TOTP that I also use). The fact that there hasn't been any movement on fixing the problem here, and in fact it's gotten worse, is making me ask whether I should start moving my infrastructure to an alternative solution sooner rather than later, since degrading user experience like this doesn't bode well for what I might expect in the future. Can any of the employees here comment on the situation?