Start ups, please don't force me to log in with Facebook

508 points by eof ↗ HN
I have been to a number of sites that I want to try out but give up when they force me to log in with 'connect with ' facebook. I know most people have it, but some don't. I don't.

You should really have your own authentication in my opinion, but if you insist on not, at least give me a few options.

278 comments

[ 3.5 ms ] story [ 254 ms ] thread
What would you think of a site that lets you use Facebook to login, or charges a Metafilter-like token $5 fee?
Is the purpose of the fee to filter out spammers and trolls in the same way that attaching your Facebook credentials creates some amount of social accountability for your actions in the service?
Yes -- a speedbump/proof-of-commitment.
(comment deleted)
Is charging for a token seriously a comparative option? C'mon, when did authentication become so difficult?
I think he meant "token" as in "trivial", not as in an OAuth authentication token.
I totally agree with this. I've seen a few things lately that wanted my Facebook login and I just went away instead.

OpenAuth (via Google or plain) or private authentication would have been fine, but those weren't options.

The main method of Facebook authentication these days is OAuth (which I assume is what you mean by OpenAuth.)
Actually, I meant OpenID. My mistake. ;) I've had both of them on my mind lately.
What about Twitter?
Just as bad, in my mind. But I could be alone on that.
I disagree. All your Twitter data is public* anyway, so it shouldn't be a problem. And twitter makes it so much easier than Facebook to disable/disconnect an app from your account.

*Unless you make tweets private. But even then, your followers and followees are still public.

It's not the Twitter data I care about, or what happens to the Twitter data. It's not even the difficulty of creating a throwaway Twitter account. I just personally prefer to keep all of my accounts segregated from each other, each for their own assigned purpose, is all.
Much easier to have a throw-away Twitter account than FB.
It always scares me when I go to 'log in with twitter' and it tells me "$APP wants permission to ... update your feed." I always hit DENY and forget the service if that happens.

Maybe I'm being harsh, and the app doesn't actually want to tweet in my name, but twitter doesn't allow it to request read-only access. Still, the permissions as displayed are clearly not what I want to grant, and I don't get to veto only the update ability.

I would rather not use a service than offer it the possibility of spamming in my name, and I have made that choice a few times now.

I would prefer a twitter authentication.
Is the perception that we will be nefariously ingesting your private data? Or that FB auth is just a trend? Or just a mistaken assumption that all users actually have a Facebook account?
Personally for me as a user it's because I don't trust Facebook.

I also think it is a bad idea to outsource your authentication mechanism to a single private entity. What happens if your user deletes their account? What if Facebook thinks your site exhibits suspicious behavior and decides to not send along its users' authentication? Probably won't happen but if it does it could be a world of hurt, much like PayPal.

For the record, normal users /do/ delete their accounts. Users also often have unpredictable priorities, as they are complex people in their own right ;P. Example: they may use transient e-mail addresses (assigned to them by their ISP/school/work) and then get "locked out" of their Facebook account because they forgot their password and can't fix it due to a new e-mail address. Rather than going to the trouble to fix the situation, they may instead simply create a new account, and take this as an opportunity to have a "clean slate". Meanwhile, they may consider your website, which they might even be paying for, to be critical to their lives, and now they can't log in anymore.
All of the above. And also because, I just don't want to have to use FB to login to a totally unrelated site.

The use case is, I use FB sparingly because I don't have time to get sucked into that pit. I friend people I meet irl, and 'Like' sites that are relevant to my profession (personal branding & networking).

But I don't use it for any other purpose. So if your site isn't relevant to my profession, I don't want to connect via Facebook, and if that's the only login option, you've just lost me.

Every site should have OpenID and/or its own user accounts, so as not to lose users who for one reason or another don't want ot use FB.

Seconded. I don't understand OpenID, but it works, and it's not tied to a single (ominous) company.
The problem with OpenID is that takeup is orders of magnitude lower than Facebook. That hasn't changed for years, and I don't think anyone really expects it to. Users can't use it as a direct facing log-in because users don't tie themselves to URLs, they tie themselves to email addresses. OpenID eventually asks you to trust someone to hold your sign-on details, it may as well be a company most users already do.

I somewhat favor the StackOverflow approach, which is "we won't authenticate you, but here's a bunch of services that do", but inevitably I forget which service is actually tied to my account. This is how it's been with my HN account for a while, I loathe deleting the cookie, as I spent 10 minutes figuring out what ClickPass wants.

TripIt has both Facebook and Google Accounts. I'd probably expand to Yahoo! and Live Mail (if MS has anything for that) and leave it there.

To me it just seems retarded to assume that everybody have a facebook account - especially when OpenId was invented to solve this exact problem.

And guess what, a facebook account is also an open id.

Facebook uses openid to eg, allow users to sign in with a google openid when signing up for facebook. But as far as I know, Facebook is not an openid endpoint, you can't auth against a facebook account using openid.

Happily, google is an openid endpoint, and basically everyone has a google account for gmail or something.

This is by far my largest complaint with Quora.
Agreed. I've lost track of how many times I've gone to a Quora answer, thought 'I must take a closer look at Quora', gone to the root domain, realised you need a Facebook login, then just navigated away.

I even have a Facebook account somewhere - just don't like logging into another site like this for some reason.

The inconvenience of finding/creating a Facebook account to use in joining Quora is, imo, completely worth the value offered by Quora. You have to choose your battles. At a certain point I would rather have access than have my way.
The problem is, in order to know that Quora is good enough to force you to use FB Connect even though you don't want to, you have to use FB Connect... I'm certain this slows their growth.
Or maybe it makes sure that the only people who go the length to sign up are aware of the benefit of Quora, and therefore likely to be quality users contributing the the quality of Quora. In a sense, Quora uses Facebook as a filter to get great users.
Yea, because Facebook is the test if someone is a great user or not.
I never bothered to sign up at stackoverflow because of OpenID. Not necessarily because I have some philosophical issue with it, but because I already have a system to maintain this stuff and OpenID is just another hoop to jump through. Adding an optional user/password signup is hardly difficult.
Honestly, I'd rather not give Jeff my password. So +1 on OpenID.
What's stopping you from setting your password to jeff_sucks? It's pretty memorable too.
Nothing is stopping me from setting my password to something different for every site I don't want to set a good password for, I'd just very very much rather just enter a URL and have everything work. OpenID is the most useful thing online in ages.
The difference with Stack Overflow is that you can, and may people do, use it without an OpenID. Just go ahead and post a question or answer, and you'll be assigned a cookie-based account. And if you put in an email address, you can download a new cookie for that account at any time.
You can't vote without a login.
This ie exactly what I do each time... look at a question then think, hmm I wonder whats popular on Quora right night but the homepage is totally locked down...
I sucked it up and registered anyway, but I still hate it and it makes me loathe to use the site.
I signed up using twitter oauth recently. This may be new since you looked at Quora.
I registered as well and fired of an email to their feedback contact. The Twitter OAuth process is especially painful on an iPhone. You have to log in to Twitter and approve, then come back to Quora to enter username, password, and email.
And perhaps the main reason why they are so successful.

People post with their real names instead of arcane nicknames from the 90ies.

With all the psychological and social results that follow.

Great point. I hope there's another way of getting rid of anonymity than having us all have Facebook accounts, because that is a great value. Having your real name and ties which connect back to your social life can hopefully be achieved somehow else... albeit probably through other sorts of centralized profile stores which might have the same stigmas as Facebook with some people. I think the key is in having many options for where you can have your profile kept and what level of data is there. As long as a profile provider's minimum level of profile data is sufficient to do away with the amount of anonymity that is necessary for a service (say Quora), it becomes a matter of how accurate the profile data is, i.e., how easy is it to create a fake account on the profile service?
It's interesting, I registered Quora last week and it was optional to use your Facebook or Twitter account to register. It was a bit tricky because it looked like you need it, but you could make progress without it.

But I rechecked a minute ago, and it really required it. It seems that they changed the policy this week.

Does Quora not provide a "Sign Up With Email" option (you need js!) right under the Facebook connect button? Granted, I don't understand the big deal about Quora, but I know an email signup when I see it.
Quora no longer forces you to log in with Facebook, nor do you need to log in at all to browse the site.
You can register for Quora with a Twitter account. You can also disconnect your FB or Twitter account after registration.
Quora is one of the first sites that I've allowed to connect via Facebook, and I was pleasantly surprised by how well it's worked so far. They haven't spammed my wall at all (like most other things), and the site itself became much more interesting as soon as I was connected to all of my friends & interests.
(comment deleted)
For me it's more of a matter of privacy. I do have a facebook account but still refuse to log into any site that wants me to connect with facebook.
Sharing my connection information, some of my real life activities and hobbies, and a few private messages with Facebook seems risky enough already. When another company wants me to connect, my mind just balks.
Agreed. Knowing that the company requiring you to sign in can quite easily access all the data stored by Facebook worries me greatly. Twitter logins I have no problem with, as all my twitter info is public anyway (such is the nature of twitter), so there isn't any damage that can be done. Facebook, however, gives you no way of knowing exactly what it stores and shares, and because of this I am simply too paranoid to log in with it.

The best login system is OAuth by far - it is secure, and doesn't have any risk attached.

I agree. I don't know why it's not also a matter of privacy for site owners. They're handing Facebook their entire usage data. Dumb dumb dumb.
I have a fake FB account for this reason. It is amazing how many people will friend someone who doesn't exist
If you put up a few photos of a good looking girl for the profile pic and a random album, it's quite easy to get over a hundred friends, and not too hard to get many hundreds if you post on a few of those friending groups.
Especially if your fake FB account is for a lonely young female "nearby" and/or in Russia and looking for a traditional marriage overseas. ;)
I'm sorry, but its just not worth expending the extra effort to get you signed up to my service. I can get millions of people before it even starts becoming an issue.
I feel that's a flawed attitude. It's like reverse entitlement.

Were I a startup founder, I would make it my goal to ensure that EVERY. single. potential customer can use my site, within my capabilities.

(edit: I don't know why you're getting downvoted; you stated your philosophy as part of the discussion, which I don't think is a good reason to get downvoted.)

It is my goal. But not right now.
Sure, but look at the clusterfuck above where people are arguing about something called Quora -- they can't even agree on how you log into the site, because some people only saw it when you had to use Facebook.

Users will only give you one chance, if they see a reason not to come back then they won't come back, regardless of later changes you make.

I think you have the right goal, FWIW. For now. Because it's about priorities. Especially for a startup.

When you're building a startup, in my experience you want to advance on the narrowest front you can, as you build out the feature set and reach the market. Don't provide 5 ways to do X if you can just provide 4. Or just provide 1. Etc. There'll always be room in the future to iterate and add support for additional use cases, additional integration points, and additional polish. But you generally want to get to market fast, get real users, real customers, validate your market assumptions and business model assumptions, and slow or stop your burn rate before your runway runs out.

Saying NO to some things frees up additional time/money to say YES to others. So you should prioritize.

I don't think a philosophy of "I'm going to force people to use the proprietary, closed, run-by-a-weird-company solution instead of the existing proven free & open solutions, because it's slightly more convenient for me" is going to be very well-received. Nor should it be.
(comment deleted)
You might make the same argument for only supporting IE as the only browser you app works with. I suspect it's actually an issue from day one as there are folks who would sign up but don't because you require Facebook.
Not for my market. 90% of them have facebook accounts.
It is your market. I am a teenager (guessing that is your market based on stats). I have a facebook account (don't use it much), but will absolutely never sign in to another site using Facebook. The security issues worry me, as does the access you have as a service to my facebook profile.
In practice, it's probably even pretty close to 100%, given the login requirement. :)

In answer to my own unasked question, yes, there may be logins available on bugmenot (http://www.bugmenot.com/view/facebook.bug) although when you search for 'facebook' it says it says that it has been 'barred'.

The fact that they have a facebook account does not mean that they want to use it to login. There is some loss from day one given your strategy.
You are aware that there are more people not on facebook than people on facebook, right?
I am. What you're probably not aware of is who my market is (hint: 90% of them have facebook accounts).
(comment deleted)
How do you know 90% of your market has a Facebook account when 100% of your registered users are required to have a Facebook account? Don't allow your user base to be restricted by another user base.
A service with an addressable market of the entire Internet is very rare.

Usually your addressable market will be something like: "English speakers over the age 22 with household income of at least $30,000 per year."

And then suddenly more people are on Facebook than not.

Forcing me to be okay with everyone and their dog seeing what I do on my own time and on a completely different site is unacceptable, and frankly just lazy on their part. That has nothing to do with "commitment." I as a consumer get nothing out of it other than a lack of privacy and the heavy-handed assumption that some startup's "service" outweighs that.

No thanks, and the fact that I'm not the only one means that if you're using FB to authenticate as a startup (IE need to get as many PURCHASING customers as possible), you're doing it wrong.

If I like your service enough, I will make sure to tell people about it. You do not need to try to do that job for me. That's insulting.

Edit: Please note that I realise that you may be an exception if it is something whose market IS a Facebook user (apps, etc), and I am simply addressing the issue as a whole as I have seen completely disparate sites that require a FB login for no reason that I can fathom.

I think you may misunderstand what signing in with Facebook does.

1) It could, potentially, provide some value to you as a user. Quora gets to suggest people to follow for you based on your Facebook friends, so your experience on there is seeded with relevant information.

2) Nothing you do on the site you signed in with is published to your Facebook profile, without your explicit consent on a dialog box.

Nothing you do on the site you signed in with is published to your Facebook profile, without your explicit consent on a dialog box

The trouble with this statement is that some users (myself included) don't believe (a) this is true even when they say it's true, or (b) that if it's true today it will still be true tomorrow.

Such paranoid users are worried that FB will make a privacy policy change that turns the privacy off "as a benefit to users," and the opt-out checkbox will be buried seven links deep. I try to use FB's controls to make my FB stuff fairly private, but I still operate on the assumption that one day FB will break my assumptions about what is or isn't shared.

The recent "Places" launch confirmed it for me. If I hadn't read someone else's blog post, I wouldn't have known that simply refusing to opt into places wasn't enough, I also had to explicitly block friends from checking me into locations.

I don't mean to personally call you out but this mindset is entirely flawed for this argument. If you're so worried about keeping your private things private, don't put anything you're not completely fine with being public on facebook. According to your logic they don't owe you any real promise of privacy, right?
I don't know what they owe me, but I do know what I do and do not trust them to do. And on that basis I decide what I will and will not share with them.

Which brings us full-circle back tot the point of the post:

When a third-party application uses FB as its authentication mechanism, it gives the appearance of asking its users to trust FB with everything they do on that application.

So yeah, I don't put anything on FB that I can't handle becoming public some day. That doesn't mean I want it to be public, but I wouldn't knowingly put something private on there.

And that extends to third-party apps using FB for anything at all. I can't ever imagine using a linked-in kind of application that uses FB authentication. I'm not going to put certain business contacts and my business relationship with them where FB might be able to scrape the data.

I'm not dating, but if I did I wouldn't use a service that used FB for authentication. Or a personal money management application.

And my message to third party apps using FB for authentication is to take this into account. I won't say "don't," you know your market, maybe they don't care. But at least have your eyes open to people who might think twice if whatever you're managing for them might be sensitive.

It may not be published (2), but facebook certainly tracks and stores the information.
You know, early adopters tend to think about technology, and make choices such as not using facebook. You're likely setting yourself up for negative publicty from some person with a blog and a large following. Is it really worth risking that to shove onto users your choice of being technologically locked in to someone else's company?
It would be interesting to see HN-ers that use facebook auth in their apps share some stats on how big percentage use it?

I too believe you should have your own auth system as a base, but maybe someone can provide some numbers proving that it actually is a waste.

On my site (www.dipoll.com) I offer FB connect, Twitter connect, and regular email/password registration. 95% of my users join with Facebook connect.

I may very well do away with Twitter and email registration. Some of those 5% of new users might use Connect, and some might leave. That's fine. What I care about is streamlining the experience for the vast majority of my user base.

"I too believe you should have your own auth system as a base, but maybe someone can provide some numbers proving that it actually is a waste."

This is the way to look at it. Each service should test, analyze their numbers, and make the decision that makes sense for them. Blanket statements like "startups should never only use X for authentication" are just wrong.

So, this isn't a useful number for the OP (as it doesn't compare against a direct email/password registration), but people may still find it interesting:

My application (an alternatie to the iPhone App Store) supports Facebook Connect and Google Login (using OpenID). As I'm selling products, I can do a direct revenue breakdown on the two services, which shows a 2:1 advantage for Google accounts.

(If anyone is interested, the 2:1 Google advantage holds even if I control for "in the United States"; about 50% of my sales are in the US, so I have a great statistical sample, and the login breakdown for the rest of the world is nearly identical.)

Incidentally, requiring Facebook/Twitter on any iPhone/iPad app will absolutely destroy your ratings.

Take the recently released Gourmet Live app for example: http://itunes.apple.com/us/app/id391597058?mt=8

Although they made some especially poor choices in that app (you can end up navigating into sections of the app that you can't get out of without giving a Facebook/Twitter login, oops).

I deleted Gourmet Live as soon as I saw it requires you to cough up Facebook or Twitter logins to use fully. I have both but don't trust Gourmet to not spam my friends. Facebook is especially hostile to privacy and I will never use Connect.
(comment deleted)
Surely it's easier to write your own authentication system than plug in to Facebooks?
No. It's actually very hard (to do correctly). Especially if your cloud provider (AppEngine in my case) makes it even harder.
I've always found this one of the easier things to do when setting up a website... And I do, do it correctly.
Have to agree with this.

It might take 15-30 minutes to develop your own authentication system.

Even if only takes 10 with facebook, the extra 5 minutes are worth it to me to keep 100% control over my users' experience on my website.

I've not seen any websites that require a Facebook account to log in, but my immediate reaction on seeing one would be to assume the person who implemented it doesn't know what they're doing and can't be trusted with my data.
Why would you trust a website asking for an email and password more?
Email is better because you are not locked into using some third party website to log in. You can set up an email server of you own if you wanted to.
OpenID works great for this too-- you can create your own OpenID provider.
Even better, you can use your domain to delegate privileges to a third party service. Eg, I have my personal domain leetcode.net delegate OpenID authentication to myOpenID.com, but if for some reason I don't like that, or decide to host my own provider, it's as simple as changing my domain's delegation info, and I can continue to use the same OpenID url everywhere.
Sure - but that wasn't what he said. He said that requiring facebook makes him think that the website owner shouldn't be trusted with data.

Which has nothing to do w/ lock-in on 3rd party websites. It has to do w/ the relative security competence of those who choose to use FB Connect vs. those who choose email.

Who said anything about security? I would take a "Facebook only" login system to imply that the creator of the website makes bad decisions. I'd prefer to not hand over data to people who make such poor decisions.
Yeah, exactly. When I see a Facebook login, what I parse is "this site decided that it was a better idea to leave security to the professionals rather than hack something together. A secondary benefit is that I get to get through this signup in 20 seconds than 3 minutes."

When I see a dodgy username and password form, what I parse is "I can't wait for them to email me back my password in plaintext, and then store it without a one-way hash."

Why do you think Facebook security is security by professionals? I fully expect that Microsoft and Google have a stronger set of security experts working on their various authentication and encryption methods.
Because they are paid in the charge of the largest online authentication system in the world?

That's not to say that they are the strongest professionals in the world, of course.

They actually have pretty broken security practices from what I've heard. Their security review before pushing live features is definitely as not as strong as Microsoft (I can't really say for Google, I don't know what their security review is like). Check out the Facebook Chat for an example.
Agreed.

I found one service, where they have only Facebook login and it doesn't work for me.

I wrote to them and the assholes just ignored me.

I think it's arrogance. I mean, Google Account would make sense. Many hackers I know don't even have Facebook account.

I have a site that requires Facebook to login.

For this site, user fraud is a big concern. I would much rather have an easy way to tell if someone is a "real" person, and Facebook gives me that.

If my market size goes from 1.5B to 500M because of this decision, that's fine. In our case, it's a calculated choice, like the dozens of calculated choices a startup makes every day.

I would much rather have an easy way to tell if someone is a "real" person, and Facebook gives me that.

How does Facebook give you that, exactly?

Several ways, none of which is individually full-proof, but taken together they are a very good indicator:

- Does the user have a profile photo, or is it the default user icon?

- How many friends does the user have? (Generally 0, 1, or 2 is highly suspicious)

- Does the user have a real name? [Edit: we have a blacklist of fake names.]

Does the user have a real name?

I'm very curious how do you believe you can check that.

They can be an indicator, but do you check every subscription? Are you going to refuse subscription telling people "sorry, you don't have enough friends"?

Here is a very quick experiment I made:

- Get the name of one of your contact and the surname of another one and subscribe with that.

- Take the picture of a random girl on the internet that looks real, put a copy and paste famous quote in the description like "it will not rain forever".

- Subscribe to a couple of groups or pages with the word "sex" in them.

Bang, hundred of friends in a couple of days, and the profile now seems legit.

Still harder than generating fake profiles automatically, but I think that with a little bit of effort this can be automated too. There are also companies that will give you some hundred of friends for a fee.

(comment deleted)
Most people don't go to the trouble of registering a fake Facebook account to sign up for a random web service. If you want to be even more strict, you can look for people with at least 3 friends -- most real people have more than 10 friends, and very few people with a fake account will register 4.
(comment deleted)
I have two fake Facebook accounts that I use to sign in to services. I even have a good rep on Quora using a completely fake name.

Forcing Facebook because you think it will give you real people and verified accounts is wrong.

(comment deleted)
Sorry if I wasn't clear. I'm not saying that forcing Facebook will 100% eliminate fraud. But forcing Facebook can reduce fraud, by several orders of magnitude.

Authentication isn't -- and shouldn't be -- a one-size-fits-all problem. For us, Facebook has worked extremely well. (We originally supported Twitter and OpenID but dropped them when it turned out that 100% of our fraud incidents had authenticated with one of those two.)

That said, I'd love to know if our FB heuristics would "catch" you or not. Email me your fake FBUIDs and I'll publicly post their score. We can all learn something! portman.wills[at]gmail.com

This is exactly why I wouldn't join your site. I don't want you crawling my list of friends, likes/dislikes, etc... to determine if I should be able to buy a T-Shirt (or whatever product it is that you sell).

With that said, my Facebook account probably wouldn't pass your test as I recently removed all my pictures, and removed all my likes disklikes, and most of my "friends". And have virtually no activity on it.

The accounts have nothing in common - not IP address, nor cookies nor names nor friends or anything. With the fake accounts I just added fake friends (Facebook was so kind to suggest them) and they approved me. I even wrote 'whats up' on some peoples walls and they replied. No idea who they are, seems people just need somebody to talk to.

I am a bit of a privacy nut (multiple browsers, incognito, proxy servers, VPN's, multiple accounts online (including this site)) and I intentionally keep my person, work, online life etc. completely separate. So as interesting as it would be for you to test my accounts, it means I would have to kill you :)

> So as interesting as it would be for you to test my accounts, it means I would have to kill you :)

There needs to be a term for that level of secrecy/strictness when it comes to online identity/authentication. A level so strict that if an identity gets exposed or authentication mechanism is bypassed that somebody, somewhere, will have to be killed.

Now I await eagerly for an HN reader from a three-letter organization to chime in. ;)

They might know that it's you, actually.

I spoke with a facebook employee recently and they apparently spend quite a bit of effort identifying likely duplicate accounts. Usually people make several accounts to have more farmville neighbors, so you may not get lumped in this category, but who knows.

Google does the same thing - I believe there was a post here recently about an interview where an employee said their was a console matching accounts and likely duplicate accounts the person has.

I agree. It is best if they provide an option. So you can login with facebook if you choose to. I use my twitter login more than facebook.
Maintaining a separate identity for every site across the web gets more impractical by the second. I think most people would agree that a third-party authentication service is a positive thing, but there seems to be a stigma, earned or not, surrounding Facebook that makes people hesitant to assign that responsibility to them.

I think ultimately it's going to come down to a paid, independent service. Startups can't offer this kind of thing for free as there is no trust involved in the transaction. Likewise most large companies have already traded away their trust capital for various fiscal and political gains over the course of their existence. No, there must be some legal recourse for the consumer for the moment the authenticator screws up, and the only way to transfer risk in that way is with money.

Probably the single biggest barrier to this is the widespread desire to remaining anonymous on the web. The thing it seeks to combat is precisely the thing so many value so greatly: maintaining multiple identities, personas, existences on the web.

What's impractical about it ? I'm very comfortable with separate identities per-site.

If your site isn't worth a separate identity, why am I interacting with it in the first place?

I'm comfortable with separate identities per site, but it is impractical for most people. You have three general choices:

- Maintain a separate login and password for every site. This requires a lot of memorization and is a pain in the ass when you find yourself trying four passwords because you forgot which you used.

- Use password management software or a naming system that lets you keep track. This is effective but is a bit much for a majority of people who do not, and probably never will, use tools and reasoning to help them do things on their own volition.

- Use the same login and password almost everywhere. This is easy but is shitty security.

You might claim that using a third-party authenticator is just like option #3, but it's not. Option #3 above means that your single credentials are under the control of the least secure site you use them on, so if someone cracks some install of PHPBB version 0.0001 that you logged into, you're fucked. Using a third-party auth provider relieves you from this worry. It even means that you can switch at your leisure and start using a hardware generator or a long passphrase if the provider supports it.

Choice. Let people choose if they want to use Facebook, or if they want to log in directly. Allowing people to log in directly should be the minimum requirement. Facebook should be an addon authentication system, not the only.
Oh, I think Facebook is much worse. I'm just pointing out that there really is a problem to be solved; separate authentication for every site is not obviously the best possible experience. Choice is a fine answer, if the developers are willing to spend the extra time implementing and maintaining the choices.
I'm not comfortable using any sort of 3rd party service. I also don't like that I have any kind of connected identity across multiple sites.

This sort of authentication system should be built into the browser, entirely under my control, and every site should be given a separate identity token.

Sounds good, but what happens when you reinstall your OS, or change your OS or browser?

Not saying it's not possible - not trying to shoot this down at all - just I think it's a major issue.

One could use a cloud service like Xmarks which already syncs bookmarks and browser passwords. Just because it's built into the browser doesn't mean that you can store the information in the cloud and sync it between browsers.

The difference is that you control the connection and your information directly. With OpenID or Facebook the connection is directly between those entities and site you are visiting. With a browser-based system, the connection is always between the site and you or the cloud and you.

Xmarks is shutting down in 90 days, apparently. =\",
I think this is an issue that needs to be dealt with in schools, because it's going to be VERY important by the time current kids grow up, and most of them don't know what they're doing.

Here's what I do. I have two branches of passwords: one unsecure and easy to dictionary attack, another that was randomly generated and I got into muscle memory when I was a boy. Each secure site gets its own slightly different version of the password, with an additional suffix which is usually a small word.

It's a system that's served me well. Are there some glaring weaknesses that I should take account of and switch to something else?

I use pretty much the exact same system that you do and have done so for many years as well. Recently though, I'm starting to think I might try out the password management software route. I've haven't yet had a problem with any of my accounts being brute forced and I guess there's something to be said for "if it 'aint broke...", but reviewing the passwords I use, even the more secure ones, I have this nagging feeling that they are more similar to each other than they should be. If a resourceful and determined attacker was to somehow figure out one of my secure passwords, then that would be a good ways towards figuring out all of my secure passwords and I don't like that possibility, however remote it may actually be.
As long as each of your secure sites has encrypted the password in their database, which they damn well should be doing, an attacker wouldn't be able to benefit from any similarities because they wouldn't know what your password actually is. Right?
That would be right assuming passwords were always encrypted - and we know that unfortunately even some of the biggest sites have been bitten by not encrypting passwords in their database[1] - but that's not actually the case I was thinking of when I said "brute forced".

Here's one possible scenario: let's say that I happened to be a member of a website that unfortunately allows an attacker to hit their login form as many times as they like and as fast as they like with various username/password combinations, and by brute forcing this login page in this way, they manage to determine what my username/password actually is. Now the attacker does know my username/password for one website I belong to and - if they're smart and determined - it may occur to them that now they know one of my usernames/passwords they might use these details as a starting point in trying to brute force other accounts that I may have on other websites.

I used to run these kinds of brute force attacks against websites back in the day when I had nothing better to do and before I had to work for a living. Often I was quite successful, but I wasn't targeting specific users and even back then I could tell that websites were getting more savvy in terms of detecting and defeating such attacks. So no doubt it would be harder to pull this kind of thing off now and it would probably depend a lot on which website(s) you targeted. But surely it wouldn't be impossible.

[1] http://blog.moertel.com/articles/2006/12/15/never-store-pass...

Option 4: use an address book, spreadsheet, or database to list passwords.
wtf? You know browsers can just remember this stuff these days, right? Or if you log in from multiple places and don't want to export your browser passwords then you can use e.g. Password1
If you keep your passwords in the browsers, you expose yourself to trojans that once they get access to your computer will harvest all your passwords from the browser and send them to some overseas hacker.
Furthermore, makes it harder for some of us to use your service at work. My work will let me visit Facebook, but each access is logged and IT does track it. While I can notify IT that it's a valid work use, doing this for every site that causes a similar reaction from the firewall gets tiring after a while.

The harder you make it for us to visit, even if it's a minor inconvenience, the less likely we will.

Well, for one thing, this becomes a bigger and bigger problem: http://www.xkcd.com/792/

Yes, it's a ridiculous example, but the vast majority of end users keep the same username and password for all of their online services. Obtain one U/P pair and you could conceivably access their identity anywhere. A centralized, specialized authentication provider could maintain multiple levels of authentication depending on what the service demanded. Perhaps your favorite news aggregator only required that you be authenticated with a username and password, but your bank could be using the same authentication service and demand a physical token or one-time password to continue to the service.

The idea is to maintain the convenience we already demand and practice in a manner which is orders of magnitude more secure.

(comment deleted)
That XKCD made me go back through a whole lot of my "low security" sites and change the password away from the same old thing I'd used for ages. Still funny though :)
whether having separate identities is a net win or a net lose depends on N. Having to maintain say 3 separate identities (N=3) on the web (roughly: one for public social, one for private/secret, one for money/utilities) is a much lower burden than having to maintain say 30 or 300 separate unconnected identities, each with their own username/password/profile/messaging/eventstreams/community-connections.
What makes me nervous about singing into a site through Facebook is I don't know what kind of permissions I'm giving to the site regarding my FB account.
Facebook always displays an allow page with what data the site is requesting.
Will it always do that? Are there any implicit allowances? Will there be in the future? For what's true now, I could look it up. But I'd rather not. For what will be in the future, I have no idea. The simplest thing for me to do is use my Facebook account for Facebook only.
Exactly. This is the reason that I am far more comfortable using my Google or Yahoo OpenID than a Facebook login.
Why? Because these companies are less likely to sell your data to third parties? You know Google has pretty well always read your gmail right?
> You know Google has pretty well always read your gmail right?

That is a loaded question that does not cover how and why google uses your emails.

What are you talking about? It doesn't matter why they're doing it today. It matters that they're doing it. Even if you're naive enough to buy into "don't do evil", surely you realize that it wont always be that way.
Any information you put on Facebook is susceptible to being used in ways you don't know of or have not authorize for. All information on the internet is like this for that matter. At least currently with Facebook Connect sites FB displays an authorize display laying out the information accessible.
Yes, exactly. That is the mental model I have for Facebook: only share what I'm comfortable sharing with the world. It's a simple mental model, and I like keeping it that way. Dealing with "Do you want to allow...?" dialog boxes breaks this mental model, and doing anything with another webpage gets a big "NO" from it.

I'm conservative about what I put on FB for this very reason. I consider logging into another site with my FB account part of "what I put on FB."

Unless that site is Yelp. Or Pandora. Or...

"Always" is meaningless for SAAS that you don't pay for.

Oh yes. Never write in absolutes on HN.

I don't know about Yelp but Pandora asks permission. http://www.flickr.com/photos/4braham/5030673157/

When the service was launched, it did not. And I'm certain Facebook will make a similar 'mistake' again, now that the controversy has died down a bit.
It's also very frustrating for everyone behind the great firewall of China.
Also, anyone behind a firewall at work/school/etc. that blocks Facebook.
Isn't that why you should VPN out? I think in this case frustration is good. Makes people look for solutions & realize how stupid that firewall is.
As an aside, Facebook rejects mail from the main mailinator ip, so you can't use their domain for a fake email address, you'll have to find a different service that does the same.
Strongly agree. I used to use Facebook. I don't any longer and never will again. Any service that forces Facebook connectivity won't get me as a user.
"I forgot my username/password" is an immense burden on a small company. You end up having to make horrible tradeoffs between privacy and convenience (how do you really verify that this user is really this person?) and end up with a serious support issue for a product that might otherwise not generate much support email at all.

To be clear: even if it costs half your conversion rate, it may be valuable, at least until you grow in size to the point where having some support staff on hand is a non-issue, to force people to use a "well known" login provider. The users who insist on per-site accounts very well may just not make enough revenue to hire the support staff required to maintain them.

(Also, I think the privacy issues are seriously underrated: users often seem to insist that you should be willing to trust From: headers on email messages and that looking someone up by real name should be a common/valid way of finding people... I'd much rather Facebook, Google, Yahoo!, whomever, has to think about those issues rather than me.)

Edit: (typed on my iPhone, already fixed a typo)

Automated password resets are a solved problem. Either email a new pw or reset link to a known address, or authenticate with "secret questions".

Both have their problems, but no small company should waste support time when established techniques are available.

The items you mentioned mitigate but do not "solve" the problem. We often have users forget what email address they used when they first signed up (work, personal, their kids email because they aren't a "computer person", etc). Probably not so coincidentally, these same users are the ones that struggle the most with basic computer tasks like opening a URL from an email, etc.
You can just let users initiate a request with their login name, no?
Unfortunately that is even tougher for users to remember as there is even less context.
This assumes that something like their e-mail address is static: in the real world it isn't. Normal users often use e-mail addresses assigned to them from their ISP, school, or work, and think nothing of the fact that these are needlessly transient identifiers. In practice you simply cannot automate the problem "I forgot my username/password".

(EDIT: Oh, and I misunderstood your comment: no, you cannot have them initiate the request with their username, because they probably also forgot their username. I thought you were saying that they could initiate a request to look up their username before looking up their password, which has the "no stable identifier" problem I ended up going into.)

This assumes that the user remembers his username (very unlikely: their favorite username was likely taken on this site; my mother actually had a binder where she had written down every username she had been forced to use on every website she had ever gotten an account with) and that he has a static e-mail address (end users don't: they use temporary e-mail addresses assigned to them by their ISP/school/work) or at least remembers the answers they left to those challenge questions (which people often just type random gibberish at because they consider the answers private/personal).

When you get users e-mailing you, incredibly angry, insisting that you help them because they are spending $X at your website and they can't even log in, you realize you can't pretend that these fully automated solutions work for normal people.

Hell, if you want to know real pain: normal users don't even have a single Gmail account, so my #1 support issue is actually users who log into my site with the wrong single-sign-on account and then get angry that none of their stuff is there anymore.

I can see the advantages of both the fb login and your own authentication. On getappsdone.com we use our own authentication, but sometimes is really annoying dealing with people who can't figure out their user or password, or maybe they didn't receive the activation email and stuff like that.

On the other hand when I'm offered the change to login with facebook, not always I feel comfortable giving access to all my data.

The reason I got one of those vanity accounts that Facebook hyped up was because I was under the impression they would use that instead of your real name on various websites.

Turns out they did not go that route so I refuse to use FB login.

I recently integrated JanRain into a client's site and I think I will be using it for future personal projects. It handles all the OAuth/OpenID details while providing Facebook/Twitter/OpenID/LinkedIn/Yahoo/Microsoft Live/Google/Wordpress/and more providers.

I would like to give people the Facebook option, but I myself, don't use it unless I have to. Giving a dozen options via JanRain makes that easier.

We've used JanRain as well, they do a nice job of abstracting away some of the differences in the platforms, making it much much easier to support more options.
I agree completely. The whole Facebook login thing is of no use to me since I decided to deactivate my account 12 months or so ago. I am unhappy with Facebook privacy and to be honest, the whole thing of keeping up with Facebook, Twitter, LinkedIn, etc just became too much. Devise an authentic login or lose me as a customer.