
Ask HN: What percentage of your users are using social login? - honksillet
In first quarter of 2018, what percentage of you users have been using social login (Facebook&#x2F;google&#x2F;etc) for you projects?  I&#x27;ve never liked the idea of using social login as a customer, but I don&#x27;t want to alienate users as a dev.
======
jfaucett
All my side projects and any projects I control use exclusively social login.
Here's why.

1\. Its way easier on me. I don't have to worry about password resets or users
hacking an account in the site. OAuth and be done.

2\. I don't have to deal with any outgoing or incoming emails and complaints
dealing with login.

3\. I don't have to worry about scammers, since google/facebook pretty much
require phone, a non fake email, 2 Factor auth, etc to sign up. So I can put
all that overhead onto google and get the added benefit that most of the users
signing up are legit.

4\. Legit users. I can't say enough how much having legit users helps the
overall quality of almost any platform. Allowing people with a fake-email to
sign up and create accounts allows for all kinds of headaches that are largely
avoided by using exclusively social sign in.

5\. Simplicity. One Click login, where the user immediately sees what
information I want to collect and can say yes/no. Login/Sign-Up is done in
literally one click.

~~~
f2n
I am unlikely to use your site if it requires me to use a Google or Facebook
login. Those companies already have too much power to fuck my life up, I have
no interest in giving them any more.

~~~
monk_e_boy
I was like you, until I looked at my unique login/pwd combinations.... there
were so so many. I can't remember them all, i switch computers (I'm a teacher)
a lot. Logins are so stupid, I've been able to look at my laptop to unlock it
for years, touch my phone to unlock it.... login and passwords are going so i
don't mind using google to log in for a few years while the rest of the world
catches up.

For students google log in is essential. Having to create an account, then
click a link in an email, then use a site is too hard. It takes too much time
and there are too many points of failure. So 99% of comp sci teachers are
choosing sites with social logins. So future programmers are all going to
prefer them.

~~~
StanislavPetrov
>For students google log in is essential. Having to create an account, then
click a link in an email, then use a site is too hard.

A truly withering indictment on these students. When even the simplest, most
straightforward of tasks is "too hard" for students, the future is very bleak.

>So 99% of comp sci teachers are choosing sites with social logins.

An equally withering indictment of Computer Science teachers. I would
certainly protest loudly if I was forced hand over my personal information to
an intrusive, third-party corporation to participate in a class.

~~~
monk_e_boy
ha! I thought like you, then I became a teacher.

Stuff like logins are so inconsequential compared to the rest of the lesson.

~~~
StanislavPetrov
On the contrary, I'd argue that the ability to perform simple tasks is a
prerequisite to proper education. We are raising a generation of children
unable to perform basic tasks.

~~~
monk_e_boy
haha, my students are pretty smart. You have to remember that what we think as
cutting edge is still hard work for a kid who's never seen a PC before.

------
seveibar
I'm a cofounder at CollegeAI.com. Our users can sign up via Facebook, Google
or Email. Here are our stats:

Google: 58% Email: 23% Facebook: 19%

Most of our users are around 18yo.

~~~
e12e
Do you have stats on how many sign up with Gmail (or Google mail account) -
but as "email"?

~~~
seveibar
59% use a gmail when they sign up with email. Many of the users on our
platform will use their school emails, so this might not be representative of
another sites.

------
scrollaway
100% (Blizzard login). My site is based on a Blizzard game, so it doesn't
really make sense to have an account unless it's linked to a blizzard account.

But what that means is that if your upstream login provider is down or having
issues, your users can't log into your site, so don't do this unless it
_really_ makes sense for you.

[https://cdn.discordapp.com/attachments/282271461853626368/42...](https://cdn.discordapp.com/attachments/282271461853626368/426471681800929296/unknown.png)

OTOH, we don't really have to deal with spam; that part has been nice.

~~~
pvg
Have you written much about your site/service elsewhere?

~~~
scrollaway
Not terribly much. Feel free to ask if you wish to know anything.

------
somishere
Citizensgbr.org:

Email 50% Facebook 35% Google 15%

Our email setup is a passwordless/magic-link implementation built on top of
Firebase's email login, similar to Medium and others. We get a significant
amount of grief about it, mainly due to emails being delayed or ending up in
spam/routed folders. But also due to the links sometimes opening in a
different browser to the one currently in use. There is no plan to allow users
to set their own password.

We generally suggest using social login when there is a problem with email but
we have a lot of push back. In our experience people using email do not trust
social login, based on what they think we are getting access to, and what we
might do with the data. [To be clear we collect the absolute minimum data
required for social login, (email address, name, Id, avatar url) and use it
only to create the account/authenticate the user]

We are considering trialling mobile phone auth in the not so distant future.

------
motdiem
My current project doesn’t implement social logins yet. On my previous one, on
a B2C niche site, i’d say maybe 30% used social logins. One thing you want to
consider is allow users to login in multiple fashions - like if you recognize
an email that is already a social login, offer them a way to create a site
password too. In my case, maybe 80% of support requests we got were people
forgetting they signed up with a social login and then wondering why their
passwords weren’t working.

------
stickfigure
I have a B2B app. It allows Google Sign-In only. My last B2B app was the same.
Nobody complained.

Understand your audience. If you can just go with something like Google, do
it; you'll save a ton of time and can focus on developing features your
customers are willing to actually pay money for. Authentication method is not
usually a value proposition.

Only implement multi-service auth as a last resort. It's great for mass-market
consumer apps, but the development workload is significant and you will end up
with a support workload for merging accounts no matter how clever your
implementation is.

~~~
sebleon
> development work is significant

Not true, these guys invested a lot in making their sdks easy to integrate.
You should be able to have fb/twitter/Pinterest/etc login in an afternoon

~~~
hamstercat
Parent is talking about the time it takes to integrate multiple ways to login,
and I agree with him. When you implement only one way (be it social login with
Google/Facebook/etc or an email/password combination depending on your target
audience) it's usually easy. When you have multiples ways to login, you end up
having to (1) maintain more code, but also (2) need a way to reconcile users
who end up signing in with multiple methods.

------
rutierut
For a while I used it almost exclusively until I realized how much I was
fucking my users over just because I was to lazy to properly implement a
password system (still do not store them myself) besides the already huge
power these corporations hold you make it very hard for users to delete their
account with them by letting GlobalCorp™ hold their other accounts hostage.

~~~
fiddlerwoaroof
It’s funny how back when sites like StackOverflow were starting up, “social”
logins like OpenID and, later, OpenID Connect were going to replace passwords.
Now it’s “just use a password manager”.

Of the two, I strongly prefer a federated login system like OpenID that lets
the user pick an identity provider

------
jiveturkey
There's an evil with social login in that you give up the knowledge of your
social (presumably personal) network to random 3rd parties. That's even worse
than email address.

With password managers being essentially mandatory now, it's not too hard to
create a new email/password based account for every new site.

But recently I realized that I don't use my FB for anything. I have zero
friends, don't allow friend requests and am unsearchable AFAIK. So now I am
going to start using that account for social login, that way I don't have to
bother with email/password.

~~~
tootie
I don't think password managers have as much penetration as you think and they
only work on devices you own.

Social login doesn't necessarily give up that much info. Your social network
knows who logged in to. The third-party only gets whatever info you accede to
which usually is just an email address or name.

The huge bonus to users and site owners is that that site isn't storing a
password for you. It's easy to screw up password storage.

~~~
chiefalchemist
I think you just made a case for DuckDuckGo or (e.g.) LastPass to provided an
authentication servive.

Mind you, products would have to adopt it. But from a sec + privacy
perspective it makes sense to have a 3rd party whose biz model isn't to
harvest your personal details.

~~~
web007
This was OpenID, which lets you choose your third-party provider at will, or
even self-host.

It's mostly dead now. People wanted the convenience of FB/GOOG/TWIT over the
freedom of self-hosting.

~~~
rhizome
But everybody just uses some library for that stuff, I wonder why there aren't
visible "Log In with [list of 80 OpenAuth providers]" sites or services.

~~~
fiddlerwoaroof
The issue is UX: I’d much prefer a widget that had three or four common
providers and then an advanced mode that lets me pick an alternative

------
wkrause
I'm the creator of Langliter, which launched a little over a month ago.

40% email

30% Google

30% Facebook

Google might be a little under represented due to a bug (was fixed within a
couple days) that prevented some Android users from using it to create an
account.

~~~
tootie
When you say email, you mean email as username plus a password? Or you mean
like TOTP via email?

~~~
wkrause
Good point, I mean user name and password, with an initial verification email.
If you use the email option, you can't get into the app without first clicking
a verification link in an email. That caused a few headaches after launch when
my transactional mail service didn't have a great delivery rate. Still the
right thing to do from a security perspective. I do have a big "preview"
option on the login page for anyone looking to kick the tires before
committing to creating an account, which hopefully compensates for some of the
added friction in the verification process.

~~~
beagle3
What are you using to get a good delivery on transactional main?

~~~
wkrause
Nothing high tech. Started out monitoring failed deliveries and sent out
verification requests manually to get over the first week or two. I noticed it
was failing consistently on Microsoft domains, so contacted the provider and
they reassigned an IP which improved things. Other than that, I have a really
high open rate, but I'm not going to pretend I know much about the intricacies
of building a domain's reputation. I'm using Mailgun btw. Can't really compare
it to other services personally, but their support has been great especially
given that my service isn't large enough yet to need more than the free tier.

------
Jack000
32% username password

57% google

rest facebook/twitter

out of 7291 users, via auth0 (for my project brandmark.io)

~~~
yowlingcat
Your project's awesome! Definite step up from a couple other tools that
attempt to do the same thing. Came up with a couple good concepts for an idea
I've been tooling around with for a while!

------
kaycebasques
For my little side project I’m using email only.

Tangentially related, I quite like Medium’s workflow where you don’t need to
enter passwords anymore. You just enter your address, they send a login email,
you click the link in your email, and it redirects you to Medium, logged in.

~~~
Xeoncross
Interesting, I always assumed this would be too much hassle for users since
after the first login, the browser (mobile or desktop) would remember the
password.

Certainly seems like an optimum solution to typing a password on first login
though (assuming the email is prompt).

~~~
davnicwil
Couple of points, first of all the thing the browser can still remember is the
auth token in a non-expiring cookie. As the majority of users will rarely if
ever clear cookies or change browsers, this nullifies the password remembering
feature.

Secondly, particularly on mobile, tapping through to email and hitting a link
is probably faster and more convenient for most users than simply entering a
password on the keyboard.

It's just a shame it's such a pain to write automated tests that go through
the email login procedure compared to username/password ;-)

~~~
oddlyaromatic
I used a fundraising tool recently with this kind of passwordless workflow.
It's a tool that you only use once a year for about 30 days, and your
authenticated session can last about that long. Which means you do the process
once on each computer you use, and then you never have to remember the
password the next year. It's great.

------
buildbuildbuild
An interesting question but I caution you not to follow blindly in the path of
what has worked for other products.

The conversion rate of social logins with _your customers_ is the ultimate
metric to look at. They are trivial to implement, do some A/B testing with
your product and follow the metrics.

A CRM product, for example, might see almost zero social signups compared to
email. But an app for photo editing might see 90%. Know and serve your own
customers before following others' metrics. And good luck :)

------
osrec
We offer Google login on [https://usebx.com/app](https://usebx.com/app) .
Usually 50% of users make use of it. Some will just try it out with the Google
login and then sign up with their company email address.

~~~
asdojasdosadsa
Hey! Just a suggestion: Try to make the google sign in stand out a bit more,
for it to be easier to spot. Maybe the 'G' logo or something

Ps. Good looking demo

~~~
osrec
Thanks for the feedback - totally agree with you! We will incorporate the
change into our next release in a couple of weeks :)

------
SubiculumCode
As a user I detest social logins, and would prefer an account at the website
to hci I want access. It is a privacy thing.

------
adtac
Curious: has anyone integrated Github login? What percentage of your users use
Github?

~~~
hamstercat
I'm also curious about it. I think it makes great sense for services that
target developers as their main audience, but I don't see it used a lot in the
wild.

~~~
thurt
example: codewars.com has a prominent "GitHub Login" button that precedes
email login

------
londev
At [https://chartlocks.com](https://chartlocks.com) we have around: 45% email
30% Google 20% Facebook 5% Twitter

------
hamstercat
In a previous job I had, I was responsible for the authentication service of
the organization (big B2C company). Even if it wasn't available from the get
go, over time about half of the logins were done with social media, Facebook
and Google in our case.

------
xialvjun
I have a Web Auth proposal about this, but no one cares.

[https://www.reddit.com/r/programming/comments/7p5yha/proposa...](https://www.reddit.com/r/programming/comments/7p5yha/proposalbuilt_in_private_key_authorization_system/)

[https://github.com/w3c/webauthn/issues/820](https://github.com/w3c/webauthn/issues/820)

[https://github.com/whatwg/html/issues/3337](https://github.com/whatwg/html/issues/3337)

------
ssimoni
Bbot (bbot.menu) - food and drink delivery system for bars and restaurants.

20% facebook, 20% email, 60% anonymous ordering only (most prefer to not get
an account to drink a beer obviously).

------
dethos
One of the side projects I currently manage has a social login implementation
and ~40% of the users use it, the remaining use the standard email flow.

------
danielskogly
Facebook login is all we have on Wishy.gift, which considering I really care
about privacy, might seem weird.

We use the login to auth, seed display name, and for the unique Facebook ID
that we only store hashed. There's no analytics of any kind on the site, and
except for the display name (which I'm planning on making editable) there's
nothing to identify a user if somebody gets access to the database.

One of the things we want to achieve with the service, is to make it hard or
very inconvenient to peek at what's been checked off in your own wishlist, and
therefore we only use 1 service for login.

It was and still is a really difficult compromise between simplicity, the
functionality of the service, and the privacy of our users - which includes my
entire family, SO, SO's family, several friends, and many others.

Having reached 200+ users as well, I'm not really sure how we'd go about
replacing it with something else as well.

------
arsalanb
I'm currently working on a project which has only social login (but allows you
to choose between facebook and google) and this was a very deliberate move.
For any given person on this planet, there is a higher chance that they use
facebook or gmail over any other "service", so no need to offer support for 10
different social logins.

Also, this is more about imposing a qualitative filter on the users who sign
up. If the earliest users you have don't like you enough to give you their
social login details (assuming, of course, you don't do something silly that
poses a security threat) then do they really like you enough?

I like to think of my earliest users as "apostles" (I even call them that. Not
to their face, but yeah) and they should have a bit of faith in the service.
If they don't, then they are not really apostles after all.

~~~
wepple
“If the earliest users you have don't like you enough to give you their social
login details ”

Perhaps I’m an anomaly, but if there is no regular email sign-up, I’m not
using your product, period.

There’s enough information floating around about me in databases all over the
world, I don’t need them to be further connected and linked.

To see the situation with FB/CA and then demand your users use their login is
insulting to me.

~~~
arsalanb
I built the log-in before the FB/CA situation and am yet to understand how it
may change things. However, I personally think people will move on from this
like nothing ever happened (which is sad)

~~~
Symbiote
> I personally think people will move on from this like nothing ever happened
> (which is sad)

Does that include you?

You could add the usual email login, or go further and prevent new Facebook
logins, or remove it completely.

------
ajeet_dhaliwal
This will probably depend on what market the project is in. Tesults does not
have a social login option but it is a business/dev app and not consumer so it
would be strange to allow a social login, you’re supposed to add your
colleagues/team from work using your work emails.

~~~
unilynx
It's still useful in a B2B context - the 'google' login button also works for
G Suite (google apps) accounts.

------
amyboyd
70% through FB, 30% through email/password. This is for a consumer-facing
mobile app.

Though just yesterday 2 people signing up said "I probably shouldn't use
Facebook now" and referenced the Cambridge Analytica news.

------
SlowRobotAhead
Side topic I hadn’t considered...

If you don’t use 2FA on your google or Facebook account, how are delighted
authentications any better than password reuse? They actually seem worse /
less secure.

~~~
sp332
You get to set permissions on a per-app basis, so that's a lot less access
than going them your password. And if they abuse the access you give them, you
can deauth just that app instead of changing the password and breaking all the
apps.

Edit: I think you were asking about the other direction. It's still not as
bad, because if you are sharing passwords and any service was breached, all
you services would be exposed. But with delegated authentication, breaching
one service doesn't expose your whole account. The one exception is if they
breach Google or Facebook.

~~~
SlowRobotAhead
Gotcha on the edit, and yea that was the direction.

But if you lost the gmail/Facebook login you also loss all of the sites you
used. Classic single sign on issue.

------
davewasthere
60k+ users. Only offered Facebook login (as an alternative login) which less
than 1% of users actually use.

Audience is quite young though. 13-20.

That said, am reworking a similar site to allow all social auth as first class
citizen (Microsoft AD+Outlook/hotmail, Facebook, Google & Twitter) - as well
as supporting existing Email/Password auth. Will see how that changes things.

------
clementmas
60% of users on TravelMap.net register with a social account.

60% Facebook / 40% Google

The stats seem to vary depending on the types of clients.

------
MediaMonitorWD
I'm a media researcher with a PhD. Here my stats:

55% Google

25% Facebook

20% Others

------
emmelaich
I would exempt the use of Google auth on dedicated Gsuite domains. I wouldn't
call them 'social' \-- especially as thing s like G+ are disabled or
discouraged.

------
smoyer
None (we don't provide that option) but we know that users want this feature
and some of the software infrastructure we purchase supports it.

------
samblr
Does here anybody knows about who is using login with amazon ? I just looked
up - login with amazon is possible.

------
lossolo
0% of my over 10k users use social login. I do not allow social login because
of privacy concerns.

------
vortico
Tens of thousands, email + password only. Not one person has complained.

~~~
golergka
What's the product?

~~~
vortico
[https://vcvrack.com/](https://vcvrack.com/)

I handle password resets by hand when people email my support address. A
horrible solution, but it's a great form of rate limiting and prevents abuse,
and I only get 1 request/day average.

------
fairpx
I used to think social login were a must. But email login still seems to be
very popular. Many users told me they wouldnt sign up unless there was an
email option

------
fwgwgwgch
Not a fan so not defending but I wouldn't classify Google as social login.

~~~
monocasa
Email was the original social network (still left).

~~~
stanleydrew
Nah, the PSTN was the original social network. And they even developed the
first cloud app: voicemail.

~~~
gscott
Sorry, smoke signals were the first social network. Plus you couldn't even opt
out of them.

~~~
fwgwgwgch
They weren't even push in a way. You had to manually pull the messages. So I
don't think there's a question of opt out. :)

