I'm working on an app where our customers have some conflicting requirements
1) Pretty complex password requirements (I'm trying to sell them on long pass phrases with no other requirements, but its government bureaucracy, so not holding out hope) https://xkcd.com/936/
2) reluctance to have to manage user signing up, forgetting password, recovery, unlocks, etc
3) Not wanting us to spend a lot of time/$ writing automation for that.
So, is it possible to delegate authentication to say google, or facebook, or whoever, but have them enforce policies such as password length/complexity (perhaps from a menu of password complexities that they offer), or must have 2 factor enabled, or maximum retries, etc?
