Ask HN: What percentage of your users are using social login?
In first quarter of 2018, what percentage of you users have been using social login (Facebook/google/etc) for you projects? I've never liked the idea of using social login as a customer, but I don't want to alienate users as a dev.
171 comments
[ 0.15 ms ] story [ 246 ms ] threadThe definition of social networking is debatable, but I don't think one that encompasses every communication medium is useful.
You could probably implement a social network on top of TELEX if your we're feeling ascetic though.
* Biased as I work on the OpenID Connect and OAuth at Okta where we are an Identity Provider and support many of the social login options.
Also, this is more about imposing a qualitative filter on the users who sign up. If the earliest users you have don't like you enough to give you their social login details (assuming, of course, you don't do something silly that poses a security threat) then do they really like you enough?
I like to think of my earliest users as "apostles" (I even call them that. Not to their face, but yeah) and they should have a bit of faith in the service. If they don't, then they are not really apostles after all.
If it's an app that requires ANY sign-up to begin using it, I will uninstall it, unless I feel it offers a tremendous value to me.
Perhaps I’m an anomaly, but if there is no regular email sign-up, I’m not using your product, period.
There’s enough information floating around about me in databases all over the world, I don’t need them to be further connected and linked.
To see the situation with FB/CA and then demand your users use their login is insulting to me.
* There's another aspect where if Google, Facebook, etc, etc shut down or freeze your account, you will lose access to the system.
Does that include you?
You could add the usual email login, or go further and prevent new Facebook logins, or remove it completely.
Eventually I got back into the account after a few months, since then I never rely on a google account for anything.
Similarly, I don't use facebook.
As for my data: 100% email login (I don't allow social logins)
It bothers me (in a philosophical way) that everything is being tied back to the 2 or 3 biggest walled garden providers, further centralizing control.
I wish there was like an open standard that apps could implement, and the users could choose to log in with any provider that implemented the standard (maybe this exists already?). I'd go for that.
Sounds a bit scary is this some kind of cult as a service offering?
It’s well known that a significant percentage of people won’t sign up with a social login. What is it about those lost users that appears to assign them less of a value in your business model?
Quality of customer is definitely a consideration in certain cases, for example some businesses have been more successful after raising prices.
However in this case I don’t see the benefit unless maybe there’s some kind of inherent need to verify identity or something along those lines which doesn’t seem to truly be a significant requirement in that many cases.
Tangentially related, I quite like Medium’s workflow where you don’t need to enter passwords anymore. You just enter your address, they send a login email, you click the link in your email, and it redirects you to Medium, logged in.
Certainly seems like an optimum solution to typing a password on first login though (assuming the email is prompt).
Secondly, particularly on mobile, tapping through to email and hitting a link is probably faster and more convenient for most users than simply entering a password on the keyboard.
It's just a shame it's such a pain to write automated tests that go through the email login procedure compared to username/password ;-)
It's actually one of the safest ways to offer email authentication.
Whenever I see a regular user of any other service have to reset their password to login in anyway, I’m like man this password thing is kind of not that useful
That's absolutely crazy, I've always thought it didn't make any sense.
Browsers have autofill, and even if you don't want to use it it takes a lot less time to type your password than to click on a button, open your email client, wait for the email to arrive, click on a link, be taken back to the browser, yack!
It only make _kind_ of sense on mobile where typing is harder, but then again it's also a pain to switch to email and back.
For the site owner, they can even more easily pick social login.
As for safety, it's just as hard for a hacker to guess my email password then my website password, what is the difference? Not to mention that if my phone is around you might be able to see the URL from the lock screen, and if God forbid my phone (or even laptop, but it never happens) is unlocked my email client is accessible at all times without a password).
It comes down to ultimate safety for users and development time for vendors. I personally feel much safer knowing that some startup is not having to provide security on their own and store and manage my password and control all the things that my email provider does anyway. Because if that startup is hacked, there's much less likelihood of hackers walking away with credentials they can use later to access my account.
Social sign on offers similar reliability and development benefits. The difference is that in my experience a lot of people are quite hesitant to use a social service like facebook to sign onto a site that otherwise contains important personal data. But I do typically work with customers who are older, so they're less likely to understand these kinds of practices. A very common misconception that I've heard many many times is people who think that because you login with a Gmail or a Facebook OAuth, that means you're giving those companies access to your account on our app. Seems silly, but a very common misconception.
57% google
rest facebook/twitter
out of 7291 users, via auth0 (for my project brandmark.io)
Google: 58% Email: 23% Facebook: 19%
Most of our users are around 18yo.
I noticed that Facebook is listed as the first option with a graphic button, whereas e-mail is listed last with a text-only link. Despite this, e-mail has attracted more users than Facebook. It’s broadly a similar story for other posts here with stats listed.
In my view, this mostly negates the claims above that people who prefer to login with e-mail can be reasonably ignored.
The conversion rate of social logins with _your customers_ is the ultimate metric to look at. They are trivial to implement, do some A/B testing with your product and follow the metrics.
A CRM product, for example, might see almost zero social signups compared to email. But an app for photo editing might see 90%. Know and serve your own customers before following others' metrics. And good luck :)
40% email
30% Google
30% Facebook
Google might be a little under represented due to a bug (was fixed within a couple days) that prevented some Android users from using it to create an account.
With password managers being essentially mandatory now, it's not too hard to create a new email/password based account for every new site.
But recently I realized that I don't use my FB for anything. I have zero friends, don't allow friend requests and am unsearchable AFAIK. So now I am going to start using that account for social login, that way I don't have to bother with email/password.
Looking through some of my Facebook apps: Headspace, Stack Exchange, and Netflix only have my email address. Venmo is an example that asks for my friend list because they want to use it for social features.
This is absolutely false. FB delivers a whole profile.
Social login doesn't necessarily give up that much info. Your social network knows who logged in to. The third-party only gets whatever info you accede to which usually is just an email address or name.
The huge bonus to users and site owners is that that site isn't storing a password for you. It's easy to screw up password storage.
Mind you, products would have to adopt it. But from a sec + privacy perspective it makes sense to have a 3rd party whose biz model isn't to harvest your personal details.
God knows we need something. It's not safe "outside."
It's mostly dead now. People wanted the convenience of FB/GOOG/TWIT over the freedom of self-hosting.
This is not exactly worse than web sites that allow you to sign up with an email address and request password resets: if your email address is compromised, then so are all your accounts. Actually, this situation is a bit worse, because there's also the chance that the user will choose the same password as they use with their email address or other accounts, so if the site they're logging into gets compromised, then their other accounts and email may be able to be compromised too.
55% Google
25% Facebook
20% Others
But what that means is that if your upstream login provider is down or having issues, your users can't log into your site, so don't do this unless it really makes sense for you.
https://cdn.discordapp.com/attachments/282271461853626368/42...
OTOH, we don't really have to deal with spam; that part has been nice.
If you don’t use 2FA on your google or Facebook account, how are delighted authentications any better than password reuse? They actually seem worse / less secure.
Edit: I think you were asking about the other direction. It's still not as bad, because if you are sharing passwords and any service was breached, all you services would be exposed. But with delegated authentication, breaching one service doesn't expose your whole account. The one exception is if they breach Google or Facebook.
But if you lost the gmail/Facebook login you also loss all of the sites you used. Classic single sign on issue.
Ps. Good looking demo
I handle password resets by hand when people email my support address. A horrible solution, but it's a great form of rate limiting and prevents abuse, and I only get 1 request/day average.
Understand your audience. If you can just go with something like Google, do it; you'll save a ton of time and can focus on developing features your customers are willing to actually pay money for. Authentication method is not usually a value proposition.
Only implement multi-service auth as a last resort. It's great for mass-market consumer apps, but the development workload is significant and you will end up with a support workload for merging accounts no matter how clever your implementation is.
Not true, these guys invested a lot in making their sdks easy to integrate. You should be able to have fb/twitter/Pinterest/etc login in an afternoon
Its a fine philosophy to apply to an entire project where you may talking tens of thousands of lines vs thousands vs hundreds.
It doesn't apply to a situation like this, where you are talking perhaps a few hundred lines, tops. If you are doing it right, I wouldn't think you are implementing much more than a thin wrapper around an existing login provider. There are so many valid open source implementations of this out there, this should be zero issue from a maintainabilty/testing perspective.
1. Its way easier on me. I don't have to worry about password resets or users hacking an account in the site. OAuth and be done.
2. I don't have to deal with any outgoing or incoming emails and complaints dealing with login.
3. I don't have to worry about scammers, since google/facebook pretty much require phone, a non fake email, 2 Factor auth, etc to sign up. So I can put all that overhead onto google and get the added benefit that most of the users signing up are legit.
4. Legit users. I can't say enough how much having legit users helps the overall quality of almost any platform. Allowing people with a fake-email to sign up and create accounts allows for all kinds of headaches that are largely avoided by using exclusively social sign in.
5. Simplicity. One Click login, where the user immediately sees what information I want to collect and can say yes/no. Login/Sign-Up is done in literally one click.
precisely. In my experience, this small minority can actually be subdivided broadly into two groups: those with very high data privacy concerns and scammers/spammers. It turns out that in my experience, the high level data privacy concern people have been the vastly smaller of the two groups, so at the end of the day you are sacrificing a tiny fraction of a fraction of potential users while simultaneously removing tons of scammers from your platform. Admittedly, the ratios probably vary depending on the particulars of your pricing models and potential scam vectors that can be applied to your software, also other factors such as local attitudes toward data privacy (my experience has been in the EU). You can also increase sign-ups by a large portion of the data privacy people by simply doing a lot of things to make your services legit i.e. have domain names registered to the real business or contact person, force https, have a high level overview of your terms and services that clearly and succinctly states how you use users data, have a verified https certificate, etc. But in general "social login only" has been so much better for me than mixed or only email logins I really would not want to go back to the alternatives.
However, I login with Google all the time.
I have my reasons for these choices and I'm sure many people here share those reasons, and I'm also sure many more don't share those reasons, but the reasons are not important in this discussion.
If you're going to offer social login, then offer at the very least all the major social logins - some really are more acceptable than others, the problem is, everyone's set is different.
Note that ‘major’ can be different for different countries, regions, markets, product types. So be sure to know your target audience.
If I'm VERY interested I'll consider google or github or something, no matter how interested I am I'll never use facebook or twitter etc.
How do you test this? I'm not sure how to test this though as there are flow-on effects on preventing registrations ie less word-of-mouth.
For students google log in is essential. Having to create an account, then click a link in an email, then use a site is too hard. It takes too much time and there are too many points of failure. So 99% of comp sci teachers are choosing sites with social logins. So future programmers are all going to prefer them.
Where the hell do you teach comp-sci?!
What email have they entered? School or personal? Or their apple email?
I can't remember most of my passwords, if I could that would be a serious security issue. Password managers are a must in this day and age.
A password manager is just another point of friction.
What type of background brings you to HN? I’m surprised that you find PW managers friction if you are a HN trader. Can you share what you don’t like about PW managers?
Note getting my boss to use a PW manager is like pulling teeth. But she does not have interest in things like HN and a PW Manager could solve some of her it problems almost every week, saving her (and me) time.
How does a password manager work on a random PC in a random school? It doesn't solve my issue. So I don't use it.
On my personal PC chrome remembers my passwords, or the camera just recognises me. On my phone the thumb pad recognises me. On my tablet I have to remember the passwords.
How can a password manager log me into my phone, my tablet, my SO's laptop, my kids kindles, my bosses PC, a random tablet at school, etc etc
If you move between devices and live in gmail, google classrooms, facebook, messenger, school intranets, SIMs.NET etc etc etc
I concur, that password managers are not that convenient when switching between random computers. In those cases, I use my phone as the manager and set easy to type diceword passwords for accounts which require mobility. Not as easy as a native chrome plug in, but (for me at least) I only use a few accounts when using random computers.
https://leclan.ch/password-managers/
A truly withering indictment on these students. When even the simplest, most straightforward of tasks is "too hard" for students, the future is very bleak.
>So 99% of comp sci teachers are choosing sites with social logins.
An equally withering indictment of Computer Science teachers. I would certainly protest loudly if I was forced hand over my personal information to an intrusive, third-party corporation to participate in a class.
Stuff like logins are so inconsequential compared to the rest of the lesson.
I personally don't care. As I have nothing to hide and I trust most of the businesses providing federated logins.
Also, makes life a lot easier. Not only as a developer, but as a user.
Sorry, but every time someone says the phrase "I have nothing to hide" I have to roll my eyes at them. How is that 'argument' in times of the recent facebook scandal still a thing?
I know that most people live under a rock, because changing habits is damn difficult and its much easier to make up arguments to support one-selves behaviour than to question and change it, but really these people should start waking up soon.
It seems they are led to the corporate social media butchery where their personality and individuality is taken piece by piece and soled to the highest bidder.
How much has to be taken from you before you recognize that you can be remote controlled by the organizations with power and money?
And will you even have still the will to recognize that and try to change it or will you sedate yourself with the argument that you can trust big brother to watch over you, because he knows best and its so convenient not having to make changes or decisions anymore.
The question is, whether you can hide your private conversations from now on and the answer is yes.
On points 3 & 4: I've seen more fake Facebook and LinkedIn accounts than I can count. Some users have dozens. I haven't looked into how they create them so easily, but they do. While it's certainly more hassle to get one than a fake email, there's still a ton of them.
> Verify your phone number
> For your security, Google wants to make sure it’s really you. Google will send a text message with a 6-digit verification code. Standard rates apply