Bỏ qua để đến nội dung
DOL Wiki

Password-first auth and immutable identity-separation policy

DomainsDOL EnglishProduct220 words1 min read
confirmedbyProduct Design

DEC-0044 - Password-first auth and immutable identity-separation policy

Phần tiêu đề “DEC-0044 - Password-first auth and immutable identity-separation policy”

Context

Phần tiêu đề “Context”

DEC-0033 locked MVP auth channels, but execution details for credential priority, duplicate-account behavior, and identity linkage were still unclear.

Decision

Phần tiêu đề “Decision”

Auth and identity baseline is refined as:

  • Login default: password-first with OTP fallback.
  • Email/phone signup: requires password creation + OTP verification.
  • Password policy baseline: minimum 6 characters.
  • OTP baseline: validity 10 minutes, resend cooldown 60 seconds.
  • Social signup/login remains supported; social account can set local password later.
  • If signup input (email/phone) already exists, system auto-switches to OTP login flow and auto-sends OTP.
  • Email/phone are unique per account.
  • Duplicate accounts are not merged or transferred; identities remain separated once created.
  • Users can self-add missing contact identity and self-link social identities inside account settings.
  • Phone is optional globally (not hard-required for all users).
  • Social account without phone can still use platform normally; phone completion is nudged later.
  • Trusted-device window is 30 days.

Decision Value

Phần tiêu đề “Decision Value”
  • Aligns UX with user preference for password-first simplicity.
  • Prevents hidden merge risks and operational ambiguity.
  • Keeps recovery and multi-method login extensible without forcing phone gate.

Rationale

Phần tiêu đề “Rationale”

This model balances low friction and clear ownership: users can use multiple login methods on one account, but accidental multi-account states are not auto-mutated by the system.