If you're adding user accounts, there's really no excuse not to include an email & password signup option. You can alienate a lot of potential users if you require Facebook connect and don't give the option.
I've always wondered why more websites/apps didn't have their own user database, with Facebook credentials as merely a link to an underlying record that the website actually owns.
This way if you one day want to run far, far away from the FB monster you're already set - the behavior of your app doesn't break horrifically, and you can devise a seamless/pain-free transition for FB-authenticated users to create a password.
> I've always wondered why more websites/apps didn't have their own user database
Because your password database is a liability. And it's a huge pain in the ass to store securely. And a breach at another site can harm your users if they re-used their password. And there's a huge amount of friction when you ask users to create and manage yet another password.
Seriously, traditional login systems suck. They're great for privacy and maintaining direct control over your user data, but they're a huge pain.
I don't want to shill, but Mozilla is aiming to address the bulk of this with Persona (https://developer.mozilla.org/en-US/docs/Persona), which will have an api-stable "beta" release in about two weeks. However, it works right now and has been deployed on sites like https://voo.st/ as an alternative to forced-social login.
Arguably it's a greater liability for a business to be dependent on a third party for a connection with their users. It means they lose important user data like email (they have to ask for it usually), they're tied to that provider, and their website breaks for those users if that third party service goes down or is unreliable.
If you store your passwords securely you can't leak them, only a hash, but I agree it's a pain for users to manage multiple passwords/identities and can lead to too much password sharing.
Persona looks far more interesting than social login as it addresses the issue with who owns controls user data/logins and does not have a single point of failure, plus it provides the email.
Given the overwhelming sample size of 37, I think we can all agree that this is statistically significant information which one should base big platform decisions on.
Still wasted the first half of the article talking about the results of a 37 person survey. 37 people with no demographics info at all is so anecdotal that it's effectively worthless.
As far as the second test goes, of course the general trend will be younger people who actually use Facebook will not mind... using Facebook.
I don't think that's true at all. Useability guru and generally big-headed man Jakob Neilson says you can get the majority of content from user testing as few as 5 people. Granted this isn't user testing, but small sample sizes are not pointless, they're directional.
If people were indifferent (50% chance of wanting facebook) then the likelihood of at least 27 out of 37 randomly asked people saying "no facebook" is about 1 in 300. And that's counting the "Yes but I hate it"s as yesses. Count those as "no" and it's 1 in 3000. Highly significant.
This assumes the "random tourists in Pike's Place market" are an effectively random sample. It's possible that facebook fans are less likely to take vacations in Seattle, but Occam's razor is against it.
This statement can hardly be made with the numbers that participated in this.
In addition the article isn't very good and the No - Spam option speaks more to users being wary of the application than facebook.
This doesn't seem like the typical quality of article usually voted up on HN - I'd guess people just voted it up from the link title without reading (since people love to hate facebook).
The inspiration for the survey came from the numbers we were seeing on our site (across 10's of thousands of signups). There was a clear preference for signing up with email vs facebook.
The in person survey is too small to provide meaningful numbers, but it was useful to hear real people's feedback and sentiment.
I agree that it seems weird that people would rather give their email than facebook because they "don't want spam". But that's really what they said, so that's not speculation about their reasons. And again, the survey was asking people about their experience and feelings about sites they've signed up for, not just about our site.
I think the difference might be from the social stakes involved, if an app spams your friends then you publicly look bad, if you get a spam email nobody knows but you.
Unfortunately some companies are in bed with Facebook and it seems it gives them more than the additional users.
For example Spotify - still allows only Facebook signups. The first quote on signup page is of course <<"Spotify is so good" - Mark Zuckerberg, co-founder of Facebook>>. I'm definitely one who spent additional time to look for an alternative.
Edit: As parbo noticed, they actually do allow email+password signups again. I completely missed the link when checking.
I've been using Rdio for a while now and really like it. I think Spotify's library is a bit larger but, like you, I hate being forced to sign up via Facebook.
I chose Deezer some time ago... but Rdio sure changed lately - maybe I should give them another look. The last time I tried they had a poor choice in non-mainstream things, but it seems to have changed. (number of von zamla albums is my usual benchmark for the variety of available tracks) They still have weird listing issues though - having both Goran Bregovic and Bregovic, Goran for example.
I'm not saying it's something to rely on, but if the artist is: not American, not singing in English, not from the top hit lists, not from popular genre and published albums years ago... yet they get included in the library, that means the choice goes far beyond what you usually get to hear. And that's just a great thing, whether you like specific artist or not.
My point is just that both Rdio, Spotify, and all their competitors contain many bands that fit your criteria. And they also don't contain many of those. I'm simply saying you should do a wider survey of their libraries to get a better comparison.
Wow, they don't want people to spot that, do they :) I went to the signup page to verify before I posted my comment and completely missed the link, even though I was looking for it. I really appreciate them doing that - will check out their library today.
Edit: Or not. They seem to know my city better than me since my postcode is both required and invalid...
I think you meant that sarcastically, but it actually is good design from Spotify's point of view. They really want people to link their accounts to Facebook, but don't want to lose the potential users who steadfastly refuse to do so. Tailoring the language and design to encourage the desired choice is smart, even if it might not be quite right grammatically.
I'd say most people have one username/password combination they use for every service. On mobile devices, having to sign up with an email and password is a bit of a hassle, and Facebook/Twitter login makes more sense.
Anecdata point (new favorite word) from someone who in theory should "know better": I have my corporate password, a bank password, personal email password, and one I've been using literally 80% of my life for all the other sites. It's got a Couple variations to get around silly restrictions. In its base form, it's a 6 letter dictionary word. Why? I don't care! I don't want to devote any more energy to the problem than strictly necessary and those sites aren't getting any data I care much about.
PS: 2 factor for corporate account and personal email
Some people, but not this person. I like having a separate login for each web service. I keep each login in my password wallet so even I don't know the password. Using this approach, if a service gets compromised, I don't need to worry that my access will spread to other systems.
I also like email/password signups because I get to use different emails for each service. GMail helps with this since I can use johndoe+twitter@gmail.com and johndoe+facebook@gmail.com.
Is there even an option for developers to use where you can use Facebook just for login, without requesting any additional permissions? That would be acceptable.
This is why I still like OpenID (eg, log in with your Google account). I know they get nothing but my name and email address, they can't touch my account at all, and nothing is public.
"When a user auths your app and you request no additional permissions, your application will have access to only the user's basic information. By default, this includes certain properties of the User object such as id, name, picture, gender, and their locale. Certain connections of the User object such as the Friends connection are also available. If the user has made more of their data public, more information will be available."
Totally agree. They really should have made the default to allow zero permissions. Then there could be a page in the app (or in facebook) where you can explicitly allow each requested permission once you've at least had a moment with the app. As it stands now, though, I never use the facebook option. The few times I did before, I raced to my profile to see if anything was posted. The current model is sort of like a store clerk saying, "Come on in... and let me use your phone to call some of your friends."
Whenever I used to demo one of my old projects, the immediate feedback I'd get from most "advisors" was something along the lines of, "oh, you don't offer Facebook signup. Why not?"
I think the underlying assumption was that using Facebook login would make it easier to make the site "go viral" because we could more easily spam our user's networks.
I always cringed at this idea from my own personal experience, and from anecdotal evidence from my friends.
I'm very excited that someone finally backed this up with data.
And at least by offering it, you'd get metrics on how many people use it. Like Patrick said, it's the most important 30 seconds of your relationship with the customer. It's worth trying whatever you can do to improve that signup process.
We're building a site that relies on network effects and are considering offering only Facebook authentication, with perhaps other signups available in the future. Anyone have any good case studies on startups that went this route?
They'd get more signups (and more of them would be for traditional accounts) if they did some fairly trivial work to make the sign up process sound like it actually created customer value.
The button to show that modal window is "JOIN NOW" with microcopy "It's free." That microcopy is the best part of the whole experience.
Clicking the JOIN NOW button brings up the modal window:
"Welcome! How would you like to sign up?"
Absolutely nothing here promises benefits to the customers. Consider something like:
Button: "Start Saving Money!"
"Save money when stores change prices. How should we tell you?"
[Login with Facebook] or [Get an email]
microcopy: "We never post to Facebook. Shopobot is totally free. You can stop getting email at any time."
Clicking "Get an email" would bring you to the signup form, currently a DailyCred interstitial, which is (at present) an experience which will not maximize conversion rates, to put it lightly.
1) Remind people why they want to sign up for Shopobot
2) Have button copy which suggests value, rather than "Sign Up". Ideally, it should have copy which recalls the scent of the interaction on their page.
3) Continue providing risk-reducers like "free", "we won't spam you", etc.
If you're wondering whether to use DailyCred or roll your own login system, by the way... how much is 20 ~ 40% more users worth to you? Enough to justify the whole hour it will take to roll a login system? Good, thought so. (+)
(+ I'm sort of intrigued by the parts of their offering which do not actually sign up users and log them in. However, it strikes me that bundling them with logins is an exceptionally bad idea, and as you need them you can either implement them ala carte or plug in a provider who would let you keep control over the most important 30 seconds of a customer's relationship with you.)
Thanks for that feedback, that's great advice for how to polish the language and call to action. With DailyCred you do have flexibility to make custom signup UI like you describe using the rest api[1], so you can bake it right into your experience. The interstitial login screen is for people who want to get set up instantly. The rest api supports all of our features, including email validation, SSL, password resets, etc. Both options are a big win over only offering Facebook signup.
[1] [https://www.dailycred.com/api/rest]
It's even easier if you're writing a rails app, as you can just use Devise[1]. Include the gem, run two rails commands, and you're basically done except for customizing the views.
It's just unusual if you think about it. It helps to have been alive in a time before the web was significant. Think of all the companies you give personal information to. Think of how much information you actually give them. Think about what they are permitted to do with that information.
Then think about sending a list of all your friends, family, colleagues, your personal thoughts and commnications on personal matters, to a random, characteristically anti-social CS major you've never met. It's just plain weird. And Zuckerberg was absolutely right in what he said: we're dumb to do it. The problem is this didn't phase him one bit. He went right ahead as if it was all going to be OK. And we just kept sending him more and more info.
Granted, Facebook calls itself a company, and the situation has grown quite large and complex, but I still think of Facebook as one CS student's website. It is what it is.
You send your personal info, in some cases more personal info than you would give your personal banker, your doctor, or your lawyer, through the web to total strangers, many of them are anti-social kids like Zuckerberg, to be posted on his website.
Maybe it's because I've grown up with fairly ubiquitous internet, but I've never expected anything I put on the internet to be private. Furthermore, I've never expected anything done in public to be private. I have a hard time understanding why people expect otherwise on both.
This just further proves how disconnected Mark & Friends are from the real world.
In real life, people talk very differently when they're:
- around their friends
- with their family
- with their lover
- in public
- at work
- online
So this "one identity" + "real name policy" + "privacy is dead" nonsense is just disheartening. There will always be a need for humans to keep secrets, to have separate identities, to keep the people in their lives separate, and the topics they talk about separate. "Sign in with facebook" just breaks all those rules.
Not everyone shits and showers with the bathroom door open.
I agree. The need to share and talk differently with different people, is precisely the problem that Google tried to solve with their concept of circles in Google+. However, the fact that they also required real names and a single identity, makes it a partial and therefore ineffective solution.
Yea, I am not for real name policies either. But I do want problems that would be caused by them to be fixed if possible, though not every one of them can be easily fixed, of course. For example, legacy PR based on one-way control of the message is fundamentally flawed.
I think, as always, generic statements can't be made. And one example shouldn't necessary serve as a general example. The willingness of a user to use Facebook as a login identity is influenced by:
1. the trustworthiness/brand recognition of the service
2. expected behavior of the service with the data
In this case, it seems to me as if there is no value a user would get from signing up with facebook besides the convenience. Furthermore, being an e-commerce service, I would actually say offering Facebook login is counter-productive because it may be perceived as a commercial use of your data (I know its irrelevant, but you would be surprised how often I have heard this)
Also one should note that the averaging 30% really isnt that bad. 50% would mean its completely random, meaning there wouldn't be a preference either way. I wouldn't say people hate being forced at all.
For obvious reasons, this post is biased towards selling their service.
The in-person survey part is good because you can get qualitative sentiment. It's good to talk to customers, even for this soft data.
The quantitative data comes from watching how people behave over time. The bottom of the post shows the graphs of how users actually sign up, and that has 10s of thousands of data points.
If your only login option is Facebook, I won't use your service. Full stop. I don't have a Facebook account, and I certainly won't get one to be able to log in somewhere else.
I do have a Facebook account, and I have basically the same policy.
Facebook is for me to chat with friends and all of us to post photos we may or may not regret when we sober up. I neither need nor want to tie any more of my life to it.
Agree with both of you. I have a Facebook account because, one time, someone posted a video I wanted to watch and that was the only way to see it. Turns out the video wasn't worthwhile either. I, too, won't register with anything requiring Facebook.
At my current job all the project managers think our users are so promiscuous with their online activities that they'll use services like Facebook for just about anything (Events, RSVP, etc).
However, from talking directly with some of our user's most of them are telling me they avoid these features because they don't understand what the long term effects might be. Apps who have abused Facebook and stories about potential privacy concerns in the media have left a bad impression on them regardless of what Facebook has done to 'fix' the problem.
So, I understand that Facebook et al are more popular options, but I am noticing that OpenID in particular is really losing momentum. Personally I really liked the idea of OpenID, so I'm just wondering, from the point of view of web developers, what is it about OpenID that makes you not want to use it? Or is it just that Facebook is overwhelmingly more popular as a login method so it's not worth it?
I agree. I spent a lot of time simplifying my OpenId setup so that all I had to do was type in my first name on a website and would be authenticated. I think online identity is still ripe for disruption and improvement.
Huh? Our first beta release is scheduled for ~2 weeks from now, and the entire idea is barely a year old. We're still quite alive and well -- come join us on GitHub (mozilla/browserid) or IRC (irc.mozilla.org/identity)! :)
Plus, Mozilla is dog-fooding Persona all over the place[1], so we're personally invested in getting this thing right and keeping it working.
[1]: Bugzilla, MDN, Etherpad, Mozillians, Metrics, Popcorn, OpenBadges, Marketplace, Add-on Builder, Flicks, and Affiliates all use Persona, with more to come.
BrowserID is new, and awesome. My fear is that a good universal login needs to support both Mobile Safari and Google Chrome on Android, and due to their childish fighting, it's unlikely anything client side can work on both, to the detriment of users and Internet security as a whole.
Desktop browsers are a lot easier (extensions, and browser choice), but mobile/tablets makes this all a lot harder than it was a few years ago. :(
Interesting how they have identified hackers to be more inclined to "connect with Facebook". Personally, I connect to Facebook when it's convenient, purely out of convenience. It's easier to not have to maintain so many damn passwords, especially for stuff like commenting on a blog I will never visit again.
Interesting how they have identified hackers to be more inclined to "connect with Facebook". Personally, I connect to Facebook when it's convenient, purely out of convenience. It's easier to not have to maintain so many damn passwords, especially for stuff like commenting on a blog I will never visit again.
I have no problem with sign in by facebook and promotions, as long as I'm given the choice or ways of logging in be that google, msn, and few others and or a local account option. When I'm not I don't use that product as I dont want a facebook account, my choice and any situation were I'm forced to I walk away. My choice.
I can undestand why so many do it, they have IT on the cheap and instead of doing a local login option you pick facebook and leave all authentication down to them and there API's. But that's there choice.
Eventualy some law will pass forceing companies to allow the user to pick which social login persona they wish to use and that will be that, repeat of the whole unbundle IE affair remixed for today playing out with social media login's. We shall see, but until then everybody has a choice they just need to execute it more often than they do.
103 comments
[ 3.4 ms ] story [ 166 ms ] threadThis way if you one day want to run far, far away from the FB monster you're already set - the behavior of your app doesn't break horrifically, and you can devise a seamless/pain-free transition for FB-authenticated users to create a password.
Because your password database is a liability. And it's a huge pain in the ass to store securely. And a breach at another site can harm your users if they re-used their password. And there's a huge amount of friction when you ask users to create and manage yet another password.
Seriously, traditional login systems suck. They're great for privacy and maintaining direct control over your user data, but they're a huge pain.
I don't want to shill, but Mozilla is aiming to address the bulk of this with Persona (https://developer.mozilla.org/en-US/docs/Persona), which will have an api-stable "beta" release in about two weeks. However, it works right now and has been deployed on sites like https://voo.st/ as an alternative to forced-social login.
Arguably it's a greater liability for a business to be dependent on a third party for a connection with their users. It means they lose important user data like email (they have to ask for it usually), they're tied to that provider, and their website breaks for those users if that third party service goes down or is unreliable.
If you store your passwords securely you can't leak them, only a hash, but I agree it's a pain for users to manage multiple passwords/identities and can lead to too much password sharing.
Persona looks far more interesting than social login as it addresses the issue with who owns controls user data/logins and does not have a single point of failure, plus it provides the email.
> This is a better test, because the signup screen offers both options with equal weight and we have over 70,000 organic signups.
As far as the second test goes, of course the general trend will be younger people who actually use Facebook will not mind... using Facebook.
This assumes the "random tourists in Pike's Place market" are an effectively random sample. It's possible that facebook fans are less likely to take vacations in Seattle, but Occam's razor is against it.
In addition the article isn't very good and the No - Spam option speaks more to users being wary of the application than facebook.
This doesn't seem like the typical quality of article usually voted up on HN - I'd guess people just voted it up from the link title without reading (since people love to hate facebook).
The in person survey is too small to provide meaningful numbers, but it was useful to hear real people's feedback and sentiment.
I agree that it seems weird that people would rather give their email than facebook because they "don't want spam". But that's really what they said, so that's not speculation about their reasons. And again, the survey was asking people about their experience and feelings about sites they've signed up for, not just about our site.
For example Spotify - still allows only Facebook signups. The first quote on signup page is of course <<"Spotify is so good" - Mark Zuckerberg, co-founder of Facebook>>. I'm definitely one who spent additional time to look for an alternative.
Edit: As parbo noticed, they actually do allow email+password signups again. I completely missed the link when checking.
Edit: Or not. They seem to know my city better than me since my postcode is both required and invalid...
"You need a Facebook account to register for Spotify"
At the bottom of the page:
"or
Create an account using my e-mail address"
Awesome design there!
I think you meant that sarcastically, but it actually is good design from Spotify's point of view. They really want people to link their accounts to Facebook, but don't want to lose the potential users who steadfastly refuse to do so. Tailoring the language and design to encourage the desired choice is smart, even if it might not be quite right grammatically.
PS: 2 factor for corporate account and personal email
I also like email/password signups because I get to use different emails for each service. GMail helps with this since I can use johndoe+twitter@gmail.com and johndoe+facebook@gmail.com.
This is why I still like OpenID (eg, log in with your Google account). I know they get nothing but my name and email address, they can't touch my account at all, and nothing is public.
"When a user auths your app and you request no additional permissions, your application will have access to only the user's basic information. By default, this includes certain properties of the User object such as id, name, picture, gender, and their locale. Certain connections of the User object such as the Friends connection are also available. If the user has made more of their data public, more information will be available."
Source: http://developers.facebook.com/docs/authentication/permissio...
I think the underlying assumption was that using Facebook login would make it easier to make the site "go viral" because we could more easily spam our user's networks.
I always cringed at this idea from my own personal experience, and from anecdotal evidence from my friends.
I'm very excited that someone finally backed this up with data.
If you can accurately define who your customer is then you can tailor your user experience to fit them best.
Studies show the people that use Facebook Connect have a higher LTV and show higher engagement.
We're building a site that relies on network effects and are considering offering only Facebook authentication, with perhaps other signups available in the future. Anyone have any good case studies on startups that went this route?
Here's their home page: http://www.shopobot.com/
The button to show that modal window is "JOIN NOW" with microcopy "It's free." That microcopy is the best part of the whole experience.
Clicking the JOIN NOW button brings up the modal window:
"Welcome! How would you like to sign up?"
Absolutely nothing here promises benefits to the customers. Consider something like:
Button: "Start Saving Money!"
"Save money when stores change prices. How should we tell you?"
[Login with Facebook] or [Get an email]
microcopy: "We never post to Facebook. Shopobot is totally free. You can stop getting email at any time."
Clicking "Get an email" would bring you to the signup form, currently a DailyCred interstitial, which is (at present) an experience which will not maximize conversion rates, to put it lightly.
https://www.dailycred.com/oauth/authorize?client_id=ceb6f715... <-- don't worry, I won't use that client ID, feel free to click it
That page should:
1) Remind people why they want to sign up for Shopobot
2) Have button copy which suggests value, rather than "Sign Up". Ideally, it should have copy which recalls the scent of the interaction on their page.
3) Continue providing risk-reducers like "free", "we won't spam you", etc.
If you're wondering whether to use DailyCred or roll your own login system, by the way... how much is 20 ~ 40% more users worth to you? Enough to justify the whole hour it will take to roll a login system? Good, thought so. (+)
(+ I'm sort of intrigued by the parts of their offering which do not actually sign up users and log them in. However, it strikes me that bundling them with logins is an exceptionally bad idea, and as you need them you can either implement them ala carte or plug in a provider who would let you keep control over the most important 30 seconds of a customer's relationship with you.)
[1]: https://github.com/plataformatec/devise
You can trust Facebook. Why wouldn't you? Facebook is lovely.
The idea that you should or shouldn't "trust" a company...
Then think about sending a list of all your friends, family, colleagues, your personal thoughts and commnications on personal matters, to a random, characteristically anti-social CS major you've never met. It's just plain weird. And Zuckerberg was absolutely right in what he said: we're dumb to do it. The problem is this didn't phase him one bit. He went right ahead as if it was all going to be OK. And we just kept sending him more and more info.
Granted, Facebook calls itself a company, and the situation has grown quite large and complex, but I still think of Facebook as one CS student's website. It is what it is.
You send your personal info, in some cases more personal info than you would give your personal banker, your doctor, or your lawyer, through the web to total strangers, many of them are anti-social kids like Zuckerberg, to be posted on his website.
It's a disaster waiting to happen.
In real life, people talk very differently when they're:
- around their friends
- with their family
- with their lover
- in public
- at work
- online
So this "one identity" + "real name policy" + "privacy is dead" nonsense is just disheartening. There will always be a need for humans to keep secrets, to have separate identities, to keep the people in their lives separate, and the topics they talk about separate. "Sign in with facebook" just breaks all those rules.
Not everyone shits and showers with the bathroom door open.
This reminds me of one of my own HN submission, BTW: http://news.ycombinator.com/item?id=4160528
1. the trustworthiness/brand recognition of the service 2. expected behavior of the service with the data
In this case, it seems to me as if there is no value a user would get from signing up with facebook besides the convenience. Furthermore, being an e-commerce service, I would actually say offering Facebook login is counter-productive because it may be perceived as a commercial use of your data (I know its irrelevant, but you would be surprised how often I have heard this)
Also one should note that the averaging 30% really isnt that bad. 50% would mean its completely random, meaning there wouldn't be a preference either way. I wouldn't say people hate being forced at all.
For obvious reasons, this post is biased towards selling their service.
Facebook is for me to chat with friends and all of us to post photos we may or may not regret when we sober up. I neither need nor want to tie any more of my life to it.
However, from talking directly with some of our user's most of them are telling me they avoid these features because they don't understand what the long term effects might be. Apps who have abused Facebook and stories about potential privacy concerns in the media have left a bad impression on them regardless of what Facebook has done to 'fix' the problem.
Plus, Mozilla is dog-fooding Persona all over the place[1], so we're personally invested in getting this thing right and keeping it working.
[1]: Bugzilla, MDN, Etherpad, Mozillians, Metrics, Popcorn, OpenBadges, Marketplace, Add-on Builder, Flicks, and Affiliates all use Persona, with more to come.
BrowserID is new, and awesome. My fear is that a good universal login needs to support both Mobile Safari and Google Chrome on Android, and due to their childish fighting, it's unlikely anything client side can work on both, to the detriment of users and Internet security as a whole.
Desktop browsers are a lot easier (extensions, and browser choice), but mobile/tablets makes this all a lot harder than it was a few years ago. :(
I can undestand why so many do it, they have IT on the cheap and instead of doing a local login option you pick facebook and leave all authentication down to them and there API's. But that's there choice.
Eventualy some law will pass forceing companies to allow the user to pick which social login persona they wish to use and that will be that, repeat of the whole unbundle IE affair remixed for today playing out with social media login's. We shall see, but until then everybody has a choice they just need to execute it more often than they do.
people login with facebook when they want the experience to be social.