Ask HN: What percentage of your users are using social login?

206 points by honksillet ↗ HN
In first quarter of 2018, what percentage of you users have been using social login (Facebook/google/etc) for you projects? I've never liked the idea of using social login as a customer, but I don't want to alienate users as a dev.

171 comments

[ 0.15 ms ] story [ 246 ms ] thread
My current project doesn’t implement social logins yet. On my previous one, on a B2C niche site, i’d say maybe 30% used social logins. One thing you want to consider is allow users to login in multiple fashions - like if you recognize an email that is already a social login, offer them a way to create a site password too. In my case, maybe 80% of support requests we got were people forgetting they signed up with a social login and then wondering why their passwords weren’t working.
Not a fan so not defending but I wouldn't classify Google as social login.
Email was the original social network (still left).
Nah, the PSTN was the original social network. And they even developed the first cloud app: voicemail.
Email's older than voice mail.
Fair enough, though I wouldn't call it a "cloud" application until webmail became prominent in the late 90s.
Why? You'd log in to servers that were more or less permanently on and connected to public internet in order to access email for the length of it's existence.
Sorry, smoke signals were the first social network. Plus you couldn't even opt out of them.
They weren't even push in a way. You had to manually pull the messages. So I don't think there's a question of opt out. :)
By that definition, the telegraph was the original social network, preceding emails by over a hundred years.

The definition of social networking is debatable, but I don't think one that encompasses every communication medium is useful.

I would say that communications media that addresses based on an individual's identity, and has infrastructure for public and pseudo public group communication counts. Email + listserv counts, IMO, whereas your example of telegraphs would not.

You could probably implement a social network on top of TELEX if your we're feeling ascetic though.

A more proper term might be "delegated authentication" but it's a mouthful so people don't use it unless they mean arbitrary Identity Providers.

* Biased as I work on the OpenID Connect and OAuth at Okta where we are an Identity Provider and support many of the social login options.

This will probably depend on what market the project is in. Tesults does not have a social login option but it is a business/dev app and not consumer so it would be strange to allow a social login, you’re supposed to add your colleagues/team from work using your work emails.
It's still useful in a B2B context - the 'google' login button also works for G Suite (google apps) accounts.
I'm currently working on a project which has only social login (but allows you to choose between facebook and google) and this was a very deliberate move. For any given person on this planet, there is a higher chance that they use facebook or gmail over any other "service", so no need to offer support for 10 different social logins.

Also, this is more about imposing a qualitative filter on the users who sign up. If the earliest users you have don't like you enough to give you their social login details (assuming, of course, you don't do something silly that poses a security threat) then do they really like you enough?

I like to think of my earliest users as "apostles" (I even call them that. Not to their face, but yeah) and they should have a bit of faith in the service. If they don't, then they are not really apostles after all.

I will never use your product or service, if it only allows "social login."

If it's an app that requires ANY sign-up to begin using it, I will uninstall it, unless I feel it offers a tremendous value to me.

Same. And I hold grudges. Lyft and Spotify used to require Facebook logins, and even though they have since removed the requirement, I still feel negatively towards them for it and don’t use them to this day.
That's it exactly, he only wants people that finds his service of tremendous value. I think it makes sense as a way to deter casual sign ups.
“If the earliest users you have don't like you enough to give you their social login details ”

Perhaps I’m an anomaly, but if there is no regular email sign-up, I’m not using your product, period.

There’s enough information floating around about me in databases all over the world, I don’t need them to be further connected and linked.

To see the situation with FB/CA and then demand your users use their login is insulting to me.

I agree with this because the scopes that the various apps "require" are usually way beyond what is actually necessary. At best, it's ugly information leakage. At worst, you spam my friends & colleagues to visit my farm.

* There's another aspect where if Google, Facebook, etc, etc shut down or freeze your account, you will lose access to the system.

Same here. The recent examples of people finding it difficult to delete Facebook because of social logins to accounts on other sites reinforces how social logins lock you into a service.
I built the log-in before the FB/CA situation and am yet to understand how it may change things. However, I personally think people will move on from this like nothing ever happened (which is sad)
> I personally think people will move on from this like nothing ever happened (which is sad)

Does that include you?

You could add the usual email login, or go further and prevent new Facebook logins, or remove it completely.

If you think it's sad, wouldn't you better off trying to change things? It's becomes more tempting to just move on if you have more services reliant on/tied to those accounts.
same. I lost my gmail account due to travelling around and my security question was nonsense with a nonsense answer as I knew I would never forget my password.

Eventually I got back into the account after a few months, since then I never rely on a google account for anything.

Similarly, I don't use facebook.

As for my data: 100% email login (I don't allow social logins)

Same here. If Google or FB are the only ways to sign up I'll pass.

It bothers me (in a philosophical way) that everything is being tied back to the 2 or 3 biggest walled garden providers, further centralizing control.

I wish there was like an open standard that apps could implement, and the users could choose to log in with any provider that implemented the standard (maybe this exists already?). I'd go for that.

If anything an Email/Password is more of a hassle and a better filter for "apostles" than one-click facebook/google.
>>[if they won’t use social login do they really like you enough? I like to think of my users as apostles]

Sounds a bit scary is this some kind of cult as a service offering?

It’s well known that a significant percentage of people won’t sign up with a social login. What is it about those lost users that appears to assign them less of a value in your business model?

Quality of customer is definitely a consideration in certain cases, for example some businesses have been more successful after raising prices.

However in this case I don’t see the benefit unless maybe there’s some kind of inherent need to verify identity or something along those lines which doesn’t seem to truly be a significant requirement in that many cases.

How is it "well known that a significant percentage of people won't sign up with a social login" ?
It's hard to prove that something is 'well-known' but I thought it too, and the reported stats in this post seem to confirm it.
For my little side project I’m using email only.

Tangentially related, I quite like Medium’s workflow where you don’t need to enter passwords anymore. You just enter your address, they send a login email, you click the link in your email, and it redirects you to Medium, logged in.

Interesting, I always assumed this would be too much hassle for users since after the first login, the browser (mobile or desktop) would remember the password.

Certainly seems like an optimum solution to typing a password on first login though (assuming the email is prompt).

Couple of points, first of all the thing the browser can still remember is the auth token in a non-expiring cookie. As the majority of users will rarely if ever clear cookies or change browsers, this nullifies the password remembering feature.

Secondly, particularly on mobile, tapping through to email and hitting a link is probably faster and more convenient for most users than simply entering a password on the keyboard.

It's just a shame it's such a pain to write automated tests that go through the email login procedure compared to username/password ;-)

I used a fundraising tool recently with this kind of passwordless workflow. It's a tool that you only use once a year for about 30 days, and your authenticated session can last about that long. Which means you do the process once on each computer you use, and then you never have to remember the password the next year. It's great.
(comment deleted)
I like it too. No need for confirmation as you’re already accessing your email to login. It’s far more secure as the average user will most likely use the same password as the email to sign up with.
For real critical cases, I think a major issue might be plaintext SMTP.
I don't know percentages, but it does seem like most major SMTP servers support opportunistic TLS, so your messages are at least encrypted over the wire.
You don't need to enter passwords because you are stuck in a password reset groundhog day scenario. You want to login to Medium yet you need to access your emails first, it makes very little sense actually.
> it makes very little sense actually

It's actually one of the safest ways to offer email authentication.

Recall that the email requires some way to login, which is probably a password anyway. What do you gain in terms of security (rather than simplicity) by shifting responsibility onto the email provider?
Most email providers already implement (and with very large user bases which provide testing) all the features you'd have to implement yourself for proper security, like 2fa, password encryption, password reset workflows. To implement all that yourself, highly likely you will not do it as robustly as another provider. Also very costly in time.
I’m working on a side project that does this too, thought I was the only one.

Whenever I see a regular user of any other service have to reset their password to login in anyway, I’m like man this password thing is kind of not that useful

(comment deleted)
> Tangentially related, I quite like Medium’s workflow where you don’t need to enter passwords anymore. You just enter your address, they send a login email, you click the link in your email, and it redirects you to Medium, logged in.

That's absolutely crazy, I've always thought it didn't make any sense.

Browsers have autofill, and even if you don't want to use it it takes a lot less time to type your password than to click on a button, open your email client, wait for the email to arrive, click on a link, be taken back to the browser, yack!

It only make _kind_ of sense on mobile where typing is harder, but then again it's also a pain to switch to email and back.

Think about it from the perspective of the site owner. Much safer to offer access this way, and easier, than having to manage and store and secure passwords. Much safer for users.
I'm not convinced.

For the site owner, they can even more easily pick social login.

As for safety, it's just as hard for a hacker to guess my email password then my website password, what is the difference? Not to mention that if my phone is around you might be able to see the URL from the lock screen, and if God forbid my phone (or even laptop, but it never happens) is unlocked my email client is accessible at all times without a password).

But if someone can access your email, they can already reset your password anyway. So email is the Golden Gate to your services in general, regardless of whether you use this approach. And the URLs that are sent out would not just be simple things that you could look at and remember and then go type them into some other computer.

It comes down to ultimate safety for users and development time for vendors. I personally feel much safer knowing that some startup is not having to provide security on their own and store and manage my password and control all the things that my email provider does anyway. Because if that startup is hacked, there's much less likelihood of hackers walking away with credentials they can use later to access my account.

Social sign on offers similar reliability and development benefits. The difference is that in my experience a lot of people are quite hesitant to use a social service like facebook to sign onto a site that otherwise contains important personal data. But I do typically work with customers who are older, so they're less likely to understand these kinds of practices. A very common misconception that I've heard many many times is people who think that because you login with a Gmail or a Facebook OAuth, that means you're giving those companies access to your account on our app. Seems silly, but a very common misconception.

32% username password

57% google

rest facebook/twitter

out of 7291 users, via auth0 (for my project brandmark.io)

Just found out about your site. It's great! Will be using it for my next projects for sure.
Your project's awesome! Definite step up from a couple other tools that attempt to do the same thing. Came up with a couple good concepts for an idea I've been tooling around with for a while!
I'm a cofounder at CollegeAI.com. Our users can sign up via Facebook, Google or Email. Here are our stats:

Google: 58% Email: 23% Facebook: 19%

Most of our users are around 18yo.

Do you have stats on how many sign up with Gmail (or Google mail account) - but as "email"?
59% use a gmail when they sign up with email. Many of the users on our platform will use their school emails, so this might not be representative of another sites.
Google is preferred because the one thing you know for sure is that nobody uses google+ so there’s no risk of unintended social leakage (have done surveys)
I was curious and visited your site, thanks :)

I noticed that Facebook is listed as the first option with a graphic button, whereas e-mail is listed last with a text-only link. Despite this, e-mail has attracted more users than Facebook. It’s broadly a similar story for other posts here with stats listed.

In my view, this mostly negates the claims above that people who prefer to login with e-mail can be reasonably ignored.

An interesting question but I caution you not to follow blindly in the path of what has worked for other products.

The conversion rate of social logins with _your customers_ is the ultimate metric to look at. They are trivial to implement, do some A/B testing with your product and follow the metrics.

A CRM product, for example, might see almost zero social signups compared to email. But an app for photo editing might see 90%. Know and serve your own customers before following others' metrics. And good luck :)

I'm the creator of Langliter, which launched a little over a month ago.

40% email

30% Google

30% Facebook

Google might be a little under represented due to a bug (was fixed within a couple days) that prevented some Android users from using it to create an account.

When you say email, you mean email as username plus a password? Or you mean like TOTP via email?
Good point, I mean user name and password, with an initial verification email. If you use the email option, you can't get into the app without first clicking a verification link in an email. That caused a few headaches after launch when my transactional mail service didn't have a great delivery rate. Still the right thing to do from a security perspective. I do have a big "preview" option on the login page for anyone looking to kick the tires before committing to creating an account, which hopefully compensates for some of the added friction in the verification process.
What are you using to get a good delivery on transactional main?
Nothing high tech. Started out monitoring failed deliveries and sent out verification requests manually to get over the first week or two. I noticed it was failing consistently on Microsoft domains, so contacted the provider and they reassigned an IP which improved things. Other than that, I have a really high open rate, but I'm not going to pretend I know much about the intricacies of building a domain's reputation. I'm using Mailgun btw. Can't really compare it to other services personally, but their support has been great especially given that my service isn't large enough yet to need more than the free tier.
There's an evil with social login in that you give up the knowledge of your social (presumably personal) network to random 3rd parties. That's even worse than email address.

With password managers being essentially mandatory now, it's not too hard to create a new email/password based account for every new site.

But recently I realized that I don't use my FB for anything. I have zero friends, don't allow friend requests and am unsearchable AFAIK. So now I am going to start using that account for social login, that way I don't have to bother with email/password.

3rd party knowing about your social network is one thing; do you not also worry about Facebook knowing about all these 3rd party things too?
Or even worse, anything that might create a bridge between the two, so that the different third-party sites are aware that you are on each-other.
Websites using Facebook login usually don't ask for any of your Facebook information, just your email address. They also implicitly have the public information on your profile since they have your Facebook ID, and I suppose it does reveal information to say that this user and email address is associated with this public Facebook profile. But they definitely don't get anything close to the read permissions you have on Facebook.

Looking through some of my Facebook apps: Headspace, Stack Exchange, and Netflix only have my email address. Venmo is an example that asks for my friend list because they want to use it for social features.

>Websites using Facebook login usually don't ask for any of your Facebook information, just your email address.

This is absolutely false. FB delivers a whole profile.

Presumably you're just referring to the public profile? Public profiles can already be accessed for any user without their agreement (at least manually), so it's not extra information provided through FB login. See my second sentence for that caveat.
I don't think password managers have as much penetration as you think and they only work on devices you own.

Social login doesn't necessarily give up that much info. Your social network knows who logged in to. The third-party only gets whatever info you accede to which usually is just an email address or name.

The huge bonus to users and site owners is that that site isn't storing a password for you. It's easy to screw up password storage.

I think you just made a case for DuckDuckGo or (e.g.) LastPass to provided an authentication servive.

Mind you, products would have to adopt it. But from a sec + privacy perspective it makes sense to have a 3rd party whose biz model isn't to harvest your personal details.

Mozilla Persona tried this. It was a good user experience, but it never gained enough traction and eventually they shut it down.
Maybe it could be different now? Or maybe it's not a solo effort? If multiple companies leveraged their traction (read: user base) maybe it could work.

God knows we need something. It's not safe "outside."

This was OpenID, which lets you choose your third-party provider at will, or even self-host.

It's mostly dead now. People wanted the convenience of FB/GOOG/TWIT over the freedom of self-hosting.

But everybody just uses some library for that stuff, I wonder why there aren't visible "Log In with [list of 80 OpenAuth providers]" sites or services.
The issue is UX: I’d much prefer a widget that had three or four common providers and then an advanced mode that lets me pick an alternative
Hey, that’s a really bad idea, jiveturkey. Facebook flags and disables accounts with zero friends and zero activity outside of apps. Sometimes they allow you to restore the account by uploading a picture of yourself and waiting for verification. I don’t know how often they do this vs. not, but remind yourself that they could do it to you at any point.
Wouldn't that be just as bad as using one password for every site? One account gets compromised they all get compromised.
Only if the facebook account gets compromised. If some random site you use facebook to log into gets compromised, your facebook account and every other site you log into with it is still safe.

This is not exactly worse than web sites that allow you to sign up with an email address and request password resets: if your email address is compromised, then so are all your accounts. Actually, this situation is a bit worse, because there's also the chance that the user will choose the same password as they use with their email address or other accounts, so if the site they're logging into gets compromised, then their other accounts and email may be able to be compromised too.

You must be fun at parties.
I downvoted this comment because it was ad hominem and did not add to the conversation.
I'm a media researcher with a PhD. Here my stats:

55% Google

25% Facebook

20% Others

100% (Blizzard login). My site is based on a Blizzard game, so it doesn't really make sense to have an account unless it's linked to a blizzard account.

But what that means is that if your upstream login provider is down or having issues, your users can't log into your site, so don't do this unless it really makes sense for you.

https://cdn.discordapp.com/attachments/282271461853626368/42...

OTOH, we don't really have to deal with spam; that part has been nice.

Have you written much about your site/service elsewhere?
Not terribly much. Feel free to ask if you wish to know anything.
Side topic I hadn’t considered...

If you don’t use 2FA on your google or Facebook account, how are delighted authentications any better than password reuse? They actually seem worse / less secure.

You get to set permissions on a per-app basis, so that's a lot less access than going them your password. And if they abuse the access you give them, you can deauth just that app instead of changing the password and breaking all the apps.

Edit: I think you were asking about the other direction. It's still not as bad, because if you are sharing passwords and any service was breached, all you services would be exposed. But with delegated authentication, breaching one service doesn't expose your whole account. The one exception is if they breach Google or Facebook.

Gotcha on the edit, and yea that was the direction.

But if you lost the gmail/Facebook login you also loss all of the sites you used. Classic single sign on issue.

We offer Google login on https://usebx.com/app . Usually 50% of users make use of it. Some will just try it out with the Google login and then sign up with their company email address.
Hey! Just a suggestion: Try to make the google sign in stand out a bit more, for it to be easier to spot. Maybe the 'G' logo or something

Ps. Good looking demo

Thanks for the feedback - totally agree with you! We will incorporate the change into our next release in a couple of weeks :)
Curious: has anyone integrated Github login? What percentage of your users use Github?
I'm also curious about it. I think it makes great sense for services that target developers as their main audience, but I don't see it used a lot in the wild.
example: codewars.com has a prominent "GitHub Login" button that precedes email login
We solely use GitHub logins on http://rubyflow.com but it's very much developer focused. This doesn't stop the spammers, however, who now all seem to have GitHub accounts too :-)
As a user I detest social logins, and would prefer an account at the website to hci I want access. It is a privacy thing.
Tens of thousands, email + password only. Not one person has complained.
What's the product?
https://vcvrack.com/

I handle password resets by hand when people email my support address. A horrible solution, but it's a great form of rate limiting and prevents abuse, and I only get 1 request/day average.

Does here anybody knows about who is using login with amazon ? I just looked up - login with amazon is possible.
I have a B2B app. It allows Google Sign-In only. My last B2B app was the same. Nobody complained.

Understand your audience. If you can just go with something like Google, do it; you'll save a ton of time and can focus on developing features your customers are willing to actually pay money for. Authentication method is not usually a value proposition.

Only implement multi-service auth as a last resort. It's great for mass-market consumer apps, but the development workload is significant and you will end up with a support workload for merging accounts no matter how clever your implementation is.

> development work is significant

Not true, these guys invested a lot in making their sdks easy to integrate. You should be able to have fb/twitter/Pinterest/etc login in an afternoon

Parent is talking about the time it takes to integrate multiple ways to login, and I agree with him. When you implement only one way (be it social login with Google/Facebook/etc or an email/password combination depending on your target audience) it's usually easy. When you have multiples ways to login, you end up having to (1) maintain more code, but also (2) need a way to reconcile users who end up signing in with multiple methods.
'Maintaining more code' is code for 'I can't write code/I am drowning in unrelated problems/I am just plain lazy'

Its a fine philosophy to apply to an entire project where you may talking tens of thousands of lines vs thousands vs hundreds.

It doesn't apply to a situation like this, where you are talking perhaps a few hundred lines, tops. If you are doing it right, I wouldn't think you are implementing much more than a thin wrapper around an existing login provider. There are so many valid open source implementations of this out there, this should be zero issue from a maintainabilty/testing perspective.

In a previous job I had, I was responsible for the authentication service of the organization (big B2C company). Even if it wasn't available from the get go, over time about half of the logins were done with social media, Facebook and Google in our case.
All my side projects and any projects I control use exclusively social login. Here's why.

1. Its way easier on me. I don't have to worry about password resets or users hacking an account in the site. OAuth and be done.

2. I don't have to deal with any outgoing or incoming emails and complaints dealing with login.

3. I don't have to worry about scammers, since google/facebook pretty much require phone, a non fake email, 2 Factor auth, etc to sign up. So I can put all that overhead onto google and get the added benefit that most of the users signing up are legit.

4. Legit users. I can't say enough how much having legit users helps the overall quality of almost any platform. Allowing people with a fake-email to sign up and create accounts allows for all kinds of headaches that are largely avoided by using exclusively social sign in.

5. Simplicity. One Click login, where the user immediately sees what information I want to collect and can say yes/no. Login/Sign-Up is done in literally one click.

Then I would never sign up to any of these sites. While I’ve been an edge case for a few years, I suspect it will be increasingly normal - especially for customers who are willing to pay.
I am unlikely to use your site if it requires me to use a Google or Facebook login. Those companies already have too much power to fuck my life up, I have no interest in giving them any more.
Would a different social login provider be more acceptable? Github for instance? Something or someone that isn't as interested in using your data
Github maybe... I've been more hesitant to use them, as they control a significant portion of open source project's infrastructure, and could generally make a lot of headaches for me. If you don't have a simple email-based signup I'm going to be hesitant to use your site.
What do you imagine GitHub..... doing?
While I'm sympathetic to your viewpoint and to a large degree share it, you are among a vanishingly small minority to not use a site or service just because of social login. 'jfaucett probably is fine sacrificing losing this small minority.
> 'jfaucett probably is fine sacrificing losing this small minority.

precisely. In my experience, this small minority can actually be subdivided broadly into two groups: those with very high data privacy concerns and scammers/spammers. It turns out that in my experience, the high level data privacy concern people have been the vastly smaller of the two groups, so at the end of the day you are sacrificing a tiny fraction of a fraction of potential users while simultaneously removing tons of scammers from your platform. Admittedly, the ratios probably vary depending on the particulars of your pricing models and potential scam vectors that can be applied to your software, also other factors such as local attitudes toward data privacy (my experience has been in the EU). You can also increase sign-ups by a large portion of the data privacy people by simply doing a lot of things to make your services legit i.e. have domain names registered to the real business or contact person, force https, have a high level overview of your terms and services that clearly and succinctly states how you use users data, have a verified https certificate, etc. But in general "social login only" has been so much better for me than mixed or only email logins I really would not want to go back to the alternatives.

Although I don't disagree, I suspect you are driving away a very interesting group of technically literate, even being small.
I can guarantee you no VC or CEO cares about that in 99.99% of cases.
This could easily be seen as a feature and not a bug.
One nuance is whether you offer one or multiple channels. I prefer email registration, but will consider Google or Microsoft logins. I will not under any circumstances use Facebook or Twitter login.
I find myself doing the same thing. There is absolutely zero hope of me clicking "login with Facebook", and between my low likelihood of clicking, and the low likelihood of actually seeing "login with Twitter" - that also never happens.

However, I login with Google all the time.

I have my reasons for these choices and I'm sure many people here share those reasons, and I'm also sure many more don't share those reasons, but the reasons are not important in this discussion.

If you're going to offer social login, then offer at the very least all the major social logins - some really are more acceptable than others, the problem is, everyone's set is different.

> If you're going to offer social login, then offer at the very least all the major social logins

Note that ‘major’ can be different for different countries, regions, markets, product types. So be sure to know your target audience.

I'm the same, if email registration isn't available I'll first greatly reconsider how much I'm interested in what you're offering.

If I'm VERY interested I'll consider google or github or something, no matter how interested I am I'll never use facebook or twitter etc.

I can understand being against Facebook login but why not Twitter? Don't think it's a particularly shady company as far as I'm aware, and you don't have to give the app access to tweet on your behalf.
I'm in this minority as well. I don't want Google, Facebook or Twitter to control my identity on other sites and won't use social login unless something is very tightly tied to a given social platform.
Is it actually a small minority?

How do you test this? I'm not sure how to test this though as there are flow-on effects on preventing registrations ie less word-of-mouth.

I was like you, until I looked at my unique login/pwd combinations.... there were so so many. I can't remember them all, i switch computers (I'm a teacher) a lot. Logins are so stupid, I've been able to look at my laptop to unlock it for years, touch my phone to unlock it.... login and passwords are going so i don't mind using google to log in for a few years while the rest of the world catches up.

For students google log in is essential. Having to create an account, then click a link in an email, then use a site is too hard. It takes too much time and there are too many points of failure. So 99% of comp sci teachers are choosing sites with social logins. So future programmers are all going to prefer them.

> For students google log in is essential. Having to create an account, then click a link in an email, then use a site is too hard.

Where the hell do you teach comp-sci?!

Have you ever taught a class of 35? About 5 of them can't even log into a computer - forgotten passwords, broken mouse, a locked computer that needs a reboot.

What email have they entered? School or personal? Or their apple email?

>I can't remember them all

I can't remember most of my passwords, if I could that would be a serious security issue. Password managers are a must in this day and age.

So you turn up at a new school, they give you a temporary user name, password. You use this to get into the PC, then you use another teachers password to get into google classroom to read the lesson plan. Then I use my own to get into my work email, then my personal one to get into messenger to talk to my child care dude.

A password manager is just another point of friction.

Please do not take this as a critique, just curiosity:

What type of background brings you to HN? I’m surprised that you find PW managers friction if you are a HN trader. Can you share what you don’t like about PW managers?

Note getting my boss to use a PW manager is like pulling teeth. But she does not have interest in things like HN and a PW Manager could solve some of her it problems almost every week, saving her (and me) time.

I'm a coder, coded for 25 years. Switched to teaching. Password managers are a hack while we wait for passwords to go. Every year I think that this is the last year I'll need passwords, there will be a gadget or something that solves this issue. Never happens.

How does a password manager work on a random PC in a random school? It doesn't solve my issue. So I don't use it.

On my personal PC chrome remembers my passwords, or the camera just recognises me. On my phone the thumb pad recognises me. On my tablet I have to remember the passwords.

How can a password manager log me into my phone, my tablet, my SO's laptop, my kids kindles, my bosses PC, a random tablet at school, etc etc

If you move between devices and live in gmail, google classrooms, facebook, messenger, school intranets, SIMs.NET etc etc etc

Thank you for the detailed explaination. This makes your previous comment much more understandable.

I concur, that password managers are not that convenient when switching between random computers. In those cases, I use my phone as the manager and set easy to type diceword passwords for accounts which require mobility. Not as easy as a native chrome plug in, but (for me at least) I only use a few accounts when using random computers.

>For students google log in is essential. Having to create an account, then click a link in an email, then use a site is too hard.

A truly withering indictment on these students. When even the simplest, most straightforward of tasks is "too hard" for students, the future is very bleak.

>So 99% of comp sci teachers are choosing sites with social logins.

An equally withering indictment of Computer Science teachers. I would certainly protest loudly if I was forced hand over my personal information to an intrusive, third-party corporation to participate in a class.

ha! I thought like you, then I became a teacher.

Stuff like logins are so inconsequential compared to the rest of the lesson.

On the contrary, I'd argue that the ability to perform simple tasks is a prerequisite to proper education. We are raising a generation of children unable to perform basic tasks.
haha, my students are pretty smart. You have to remember that what we think as cutting edge is still hard work for a kid who's never seen a PC before.
Why not create a Facebook or Google account just for these websites? Or is it the cross domain tracking that is worrying since everyone's sites are tagged?
It becomes a mess to track where you are logged into what. And cross domain tracking.
2 accounts can take care of this. You can have one account for life related things and another one specific for Logins.

I personally don't care. As I have nothing to hide and I trust most of the businesses providing federated logins.

Also, makes life a lot easier. Not only as a developer, but as a user.

> I personally don't care. As I have nothing to hide and I trust most of the businesses providing federated logins.

Sorry, but every time someone says the phrase "I have nothing to hide" I have to roll my eyes at them. How is that 'argument' in times of the recent facebook scandal still a thing?

I know that most people live under a rock, because changing habits is damn difficult and its much easier to make up arguments to support one-selves behaviour than to question and change it, but really these people should start waking up soon.

It seems they are led to the corporate social media butchery where their personality and individuality is taken piece by piece and soled to the highest bidder.

How much has to be taken from you before you recognize that you can be remote controlled by the organizations with power and money?

And will you even have still the will to recognize that and try to change it or will you sedate yourself with the argument that you can trust big brother to watch over you, because he knows best and its so convenient not having to make changes or decisions anymore.

It's too late. If they wanted to, they could know tons of stuff about your life. Nothing you can do about it now. That is also why your answers to "security questions" should not be the real ones.

The question is, whether you can hide your private conversations from now on and the answer is yes.

should be able to use any oauth provider, including github (as long as the service hasnt locked it to just g and facebook. i _do_ hate it hen fcebook login is the only option.
lol because logging into a website with google or facebook really does something valuable for them...
On point 2: people forget which service they signed in with, accidentally make multiple accounts and think their data is gone, and sometimes APIs are down (mostly LinkedIn) or throw errors, all of which lead to customer service headaches without an email/password reset backup.

On points 3 & 4: I've seen more fake Facebook and LinkedIn accounts than I can count. Some users have dozens. I haven't looked into how they create them so easily, but they do. While it's certainly more hassle to get one than a fake email, there's still a ton of them.

Is it really so hard for scammers / spammers to create fake Google / Facebook accounts? What is so hard about creating any number of "non fake emails"? I assume a non-fake email (address) is just one that can accept incoming messages.
Google requires a phone number nowadays. And you can't use the same phonenumber more than X times. (Not sure what X is but I hit it last week so had to go on the second phone)
I didn't know that. But if Facebook still allows sign-ups with an email address only, it gives a way in.
No it doesn't (at least on the desktop version of the site). You can leave the phone number field blank on the 'Create your Google Account' form. For 2 factor authentication you do need it.
Yes it does, you can't get past the second stage. "Please enter a phone number". I'm sure this is different on some things, mabe number of emails created per IP or what country you live in. Google is a big entity, they can afford to treat some areas differently.

> Verify your phone number

> For your security, Google wants to make sure it’s really you. Google will send a text message with a 6-digit verification code. Standard rates apply

I have an empty Facebook account with a pseudonym--the name of a fictional character, so it's actually obvious--and gmail address I don't use for anything. I set this up specifically to use with sites that use 'social' login. I've had it for a few years now, and as far as I can tell FB does not care.
I avoid Google, Facebook and all other "social media" like the plague due to privacy issues. I don't have any social media accounts and therefore wouldn't be able to log into any of your projects.
I used to think social login were a must. But email login still seems to be very popular. Many users told me they wouldnt sign up unless there was an email option
One of the side projects I currently manage has a social login implementation and ~40% of the users use it, the remaining use the standard email flow.
0% of my over 10k users use social login. I do not allow social login because of privacy concerns.