

Social Login Myths Debunked - elie_CH
https://medium.com/about-oauth/7-social-login-myths-debunked-8a8115108e9c

======
tsmash
ugh, i was really hoping to see some data, not opinions

~~~
elie_CH
I'm working on an article with the data that we have (conversion rates, impact
of permissions asked, etc.). Will publish :)

~~~
robertknight
How far do you have data going back? It would be interesting to see whether
user attitudes towards social logins have changed over the past 3-4 years.

------
ASneakyFox
I like reddits system. Pick a user and pass. All other fields are optional,
and you can fill them out later if you wish or as needed.

Imo if your website doesn't use that system its because you're more interested
in collecting and selling my private information than you are providing me
with whatever service you want me to sign up for.

------
scrollaway
These arguments are not arguments in favour of social login, they are
arguments in favour of _third party authentication_.

OAuth as an authentication method is stupid. Use Persona
([https://www.mozilla.org/en-US/persona/](https://www.mozilla.org/en-
US/persona/)). Third party auth done right.

~~~
saurik
Persona assumes something trivially false for most end users: that email
addresses are canonical and precious; in fact, email addresses tend to be
recycled (by schools and ISPs), users have many of them (causing them to never
remember which one hey are using, a problem compounded y the usage of clients
that aggregate their email together), and they are extremely temporary (users
throw them away and get new ones when they start getting too much spam, and
are even forced to do so when they change jobs, graduate from school, move to
a new area, or simply change email providers, as even savvy users tend to rely
on third-party domains, including gmail.com).

This makes persona both frustrating for the user (having to do account
migrations at the least convenient time _on every website they use_ , always
using the least convenient flow as by the time they notice they have already
lost access to their old email address) and insecure for everyone involved
(the situation where user's account is compromised when their email address is
recycled is bad for everyone). In comparison, users tend to have one account
on Facebook, and that account is theirs and theirs alone essentially forever.

Facebook has amazingly well-engineered mechanisms to do account password
recovery (my favorite is the one that shows you uncommon pictures of your
friends--old shots, people in Halloween costumes, etc.--and asks you to
identify them), the account has a username independent of email addresses (to
the limited extent to which email addresses matter, if the user changes
addresses Facebook will be the first thing they think of to update _before_
they go through with the process, and even if they don't they will catch it
immediately as most normal users use Facebook often), and Facebook provides a
central location to store a bunch of common profile information (in particular
a picture) that the user will actually keep up to date (which is pleasant for
both the user and the website). Using Facebook as a login provider actually
solves problems for both users and website operators in a reasonably secure
manner.

Users on websites like Hacker News, developers, the kinds of people who build
websites, sadly don't notice these problems, as they are the kind of people
who value email addresses and understand the issues related to security if
addresses are reused: this is fundamentally unlike a normal user or sadly even
a normal system administrator. I have been saurik@saurik.com since 1997 and
will be until the day email is dead: I was really argumentative any time my
University asked me to use saurik@cs.ucsb.edu (an address they later cancelled
on me and recycled :/) and so avoided third-party addresses, and noticed the
canonicalization problem after only a year of saurik@poboxes.com (a service
that happened to also help users get "vanity" email addresses, as users care
more about cool addresses on domains like starfleet.com than ones that won't
change). I am not typical: Persona, sadly, is designed for users like me at
the exclusion of normal people :(.

For more details about these issues, I will refer you to earlier discussions
of Persona and social login mechanisms, where I provided much longer comments,
examples, walkthroughs, etc.

[https://news.ycombinator.com/item?id=7243021](https://news.ycombinator.com/item?id=7243021)

[https://news.ycombinator.com/item?id=5408735](https://news.ycombinator.com/item?id=5408735)

~~~
scrollaway
> Persona assumes something trivially false for most end users

No. No no no no no. No.

This is not "trivially false". Maybe if you said "Persona assumes something
which is false for some end users" then you would have a point.

What persona does is _being practical_. You are identified by an email address
which is already the way most people are identified on the web (immediate
integration with existing services and no introduction of a new concept such
as an "URI identity" a la openid).

Your email address can still be updated as long as you own it and the web app
allows it, as you would expect. But using a username instead of an email
address would be worse. How many times have I changed my username? I love my
current one but it is short and not always available: I sometimes have to use
an alternative one. Not to mention the times people outright steal my
username; something they cannot do with an email address for obvious reasons.

Please. Persona does have flaws, so don't waste time burning it on a non-
issue.

