Users on my platform can register with email & password. When they wish to log back in they can use a 3rd party integration (such as Gmail) to authenticate their email.

I've seen on multiple websites (Zapier for example) that even though I authenticated with the Gmail integration, they still ask me for my original password when signing in.

Why would they need my password if they already authenticated that this is my email? Is there any security reasons to do so or is it just to make sure that even though it is my email, that I know my password for my account?

CodePudding user response：

There is no need to ask for a password if you connect with a trusted service such as Google, Facebook, Apple, Microsoft, Twitter, etc, and you are in fact delegating all security checks to the respective provider. Google, for example, based on the user's account settings would be responsible with providing the user with a 2FA challenge before logging in.

It would in fact be good UX practice to not even ask the user to create a password and some websites even decide to exclude the creation of local accounts altogether. In this case, the user can just log in with the provider without the need for a "sign up" process because all OAuth providers share the user's email address if requested so you can create the account "on the fly" as needed and personalize the experience by sending a welcome email, redirecting to a page, showing a message, etc.

That being said, you can augment the login security as much as you want with original password requests, CAPTCHA challenges, encryption, IP whitelists, hit counters, cooldown periods, etc, if you feel it's justified. Would it be needed? Probably not in most cases.