Have been wondering about this in terms of how safe/secure it may be to use them. Not that a Lemmy account is exactly something to fret a ton over, but I always appreciate a little more peace of mind.
Searching through here I found where Alexandrite’s dev gives a rundown to someone asking in regards to their work, but I didn’t surface similar for others. I’ve tried running some broader searches but haven’t had a ton of luck, so thought I’d ask.
I’m building !lemmynade@lemm.ee and can answer any questions. Each app and client handles differently, but for Lemmynade:
Throughout this process, nothing is stored, logged, or recorded anywhere. The only thing stored is the secure token, and that secure token is only saved on your own device. Lemmynade or anyone else cannot access your account unless they have access to your specific device.
There’s many more layers to this, but hopefully that explains the general idea. The main danger with the current method of authentication is that you are providing your raw password to a third party, meaning if someone wanted to be malicious it’s fairly easy to do.
A much better authentication method is called OAuth. With OAuth, you never give your password directly to the third party, so it’s far safer. A lot of us devs are pushing for this and hoping to see this down the road as it would give much more peace of mind to everyone. It’s only up from here!
Quiblr works essentially the same way. But I query the instance list so users cannot input a bad instance name