Learning from Giants #24
Getting better at giving feedback, The missing GraphQL standard, Getting the V of MVP right, and WebAuthN: an introduction to the passwordless world.
👋 Hi, this is Mathias with your weekly drop of the 1% best, most actionable, and timeless resources to grow as an engineering or product leader. Handpicked from the best authors and companies.
Did a friend send this to you? Subscribe to get these weekly drops directly in your inbox. Read the archive for even more great content. Also: I share these articles daily on LinkedIn.
How do I get better at giving feedback?
"Being able to frequently give and receive feedback—especially feedback that is clear, concise and actionable—can completely transform your relationship with your colleagues."
Colleagues, not reports. That's a crucial point. Giving feedback as a manager is complex, but it is much more common than giving great feedback to colleagues or your manager.
Because it often touches sensitive parts of human beings, and because we're not always confident in our abilities to deliver it the right way, giving feedback sometimes feels like playing Operation.
"But, with continued practice, you can build the confidence to make it as common in your daily routine as having lunch, and your colleagues will thank you for it."
📗 James Stanier's How do I get better at giving feedback is a perfect summary of the best advice on feedback. It shares the best model for feedback: Radical Candor, an excellent process, and tips to make feedback a habit.
OpenCRUD: the missing GraphQL standard
GraphQL is excellent, but it needs standards. Because it moves the complexity from the URL path to the query, and the query space is a lot larger and younger.
While REST has many drawbacks, it's a clear representation of resources, often tied to the underlying relational database. What if you want to represent these database resources in GraphQL? What's your standard? How do you represent complex relationships and filtering operations?
OpenCRUD.
▶︎ "OpenCrud is a collection of specifications for GraphQL APIs that are designed to work well with specific database technologies. [...] This specification describes all aspects of a flexible GraphQL API suitable for relational databases."
📗 Prisma's OpenCRUD is a great attempt from the database company at creating standards in this maturing ecosystem. It draws from years of experience of the Prisma team doing code generation between the database and GraphQL. Interesting to anyone starting a GraphQL project!
Getting the V right (in MVPs)
"In our market, users don't want MVPs." is bullshit.
With the growing presence of internet products with billions in funding in our lives, entrepreneurs have become more hesitant about shipping early to market. It's true that the goalpost is moving: users expect a different level of polish than they did in the 2000s.
But that doesn't discard the MVP strategy; it makes it even more critical.
"What all these arguments lack is thoughtful examination of the V in MVP. And the V is the hardest to get right."
Viable first, minimum second.
But what does Viable mean?
📗 Christina Wodtke's Getting the V right is one of the best resources on MVPs. You will understand that "viable is a goal, not a set of requirements", and that it's a very contextual goal. If your market values design a lot, then cut down on features but not on design: that'll be your MVP.
WebAuthn: the future of authentication is passwordless
"Passwords have an ever-growing list of problems associated with them[...]. Users have to worry about passwords being stolen by phishing tools, or their passwords being leaked online if websites they have accounts with are compromised."
It's not just users; software also bears a large part of that risk.
While many patches were on top of passwords in the past decades, alternatives have started to appear—they delegate authentication to trusted parties instead of relying on one more password. SSO is an excellent example of such delegation, but it is very centralized.
What if you could own that auth provider? That's what WebAuthn tries to achieve.
"The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password."
While such solutions already existed, what's new is the W3C spec and growing browser compatibility.
"It allows servers to integrate with the strong authenticators now built into devices, like Windows Hello or Apple's Touch ID. Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user's device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user's identity."
📗 Duo's Guide to Web Authn is an introduction to this new W3C specification that I predict will become increasingly popular in the years to come. Since passwords are everywhere, the potential impact is incredible. It may be a fantastic opportunity for you or your company!