Roadmap

LastLogin is currently missing several features that will be necessary to accomplish our goals. Some are listed here.

Wildcard email support

Many email providers allow "wildcard" email addresses to be created on the fly. For example, if your gmail address is alice@gmail.com. You can send an email to alice+*@gmail.com, where "*" can be whatever you want. LastLogin should be able to let you fill in that part when you log in to an app or site. This is particularly valuable if you have your own domain name, as you can generate entirely unique email addresses for each app, similar to the way Apple does to preserve user privacy.

Passkeys support

We would like to support passkeys, but it would be tricky with our architecture. Currently we don't store any user information on our servers. This both saves us money on storage, and improves privacy. But passkeys need to be tied to an identifier such as an email address.

Support decentralized login protocols

LastLogin needs to support decentralized login protocols, so that apps and browsers/extensions have someone to talk to. Protocols like BrowserID from Mozilla Persona, or similar would be nice.

Custom upstream providers

Users should be able to add their own OpenID Connect provider to use with LastLogin. If they self-hosted their own OIDC server for example, they should be able to use that server to add identities for the same domain to LastLogin. This should be possible both by manually adding providers and by using WebFinger to determine the provider automatically for an email address.

This provides the most realistic paths towards decentralized login. Imagine if an email provider like Fastmail implemented WebFinger and allowed their users to specify an OIDC provider they want. When a Fastmail user goes to log in to a website, they would enter an email address (or more realistically select one they used previously or have it autofilled by the browser). The site would check the email server using WebFinger to see if the user has their own OIDC server (perhaps also provided by the email provider). If yes, they authenticate directly with their own server. If not, defer to LastLogin, which can talk to the custom OIDC server directly.