Authentication: How much do you care, how much do they?

As we move on from simple email address/password authentication, how do we integrate our local systems with centralized authentication gateways? How do we maintain our users’ security and trust? The solutions involve:

• Use standards based, widely used, systems: OUATH2, SAML, OpenID Connect
• Keep things simple and limit customization - if there is an out-of-the-box solution use that.
• Ensure interfaces look and behave the way users expect them to.
• Limit the data gathered and saved through authentication.
• Clarify to the user what data is being gathered, from whom, and for what purpose.
• Use user data in a way that keeps it safe: Don’t display it in full on the page.
• Do not give users more access than they need: Do you want a new user to be automatically registered?