
Anonymous Login - aburan28
https://developers.facebook.com/products/anonymous-login/
======
stickfigure
This is absolutely _horrible_ for the open web.

What this means is that users who sign in to your website with this are
Facebook's users, not your users. Facebook controls them and decides if and
when your access to them shall be revoked. At least with an email address, you
can bootstrap an independent relationship. Not here.

Mozilla Persona got this right - authentication should be decentralized and
establish an independent relationship between website and user. Too bad they
gave up on it.

~~~
rkuykendall-com
> At least with an email address, you can bootstrap an independent
> relationship. Not here.

Wait, what if I want that? I'd say 95%+ of sites I sign up for I am just
trying out. I _don 't want_ an independent relationship to be bootstrapped, I
just want to play with the site. Chances are, after a week I will never see it
again. But instead, I get a newsletter, and have to unsubscribe. Then I get a
friend notification or something, and unsubscribe from those, or try to find
out how to deactivate or delete my account.

> Facebook's users, not your users

Yes, that's true. I am a Facebook user. I have an account there, which I use.
Why should I spread my email around to sites I don't really consider myself a
user of, just because I want to save my game or explore the app or something?

~~~
stickfigure
Congratulations, you've just handed ownership of your electronic life over to
Facebook. Now _your_ access to the internet is gated by Facebook. What? You've
used a nickname or an inaccurate photo or you're a sex offender or a drug
offender or you've had a DUI or enough people have flagged you? Say goodbye to
your entire internet identity, time to start from scratch - assuming FB
doesn't recognize your IP address and ban you.

The risks of submitting an email address are overblown. Websites are
_terrified_ that you will click the 'spam' button. They don't put those little
'unsubscribe' links at the bottom because they want you to click on them.

I was one of the early adopters of the Facebook platform and 'social login'.
Now I think it's a menace. They aren't doing anyone, except themselves, any
favors with this.

------
Flimm
Oh Mozilla. How I wish that you had finished your BrowserID project! Now we
have to trust Facebook with this idea instead of you.

~~~
buro9
I still use Persona on over 300 sites for 50k+ users.

It remains one of the best auth components I've ever used, and I have zero
issues from users relating to it.

What sucks is that at some point I'll have to remove this great component
because they stopped working on it, and will inevitably sunset the hosted
service.

~~~
Tepix
The server service is open source, isn't it? Just run your own.

Still a shame they are no longer pushing it, however.

~~~
buro9
That will suffer bitrot.

It will also lead to many people having to maintain something that they were
choosing not to maintain. i.e. a complex piece of software responsible for
security.

------
laurencei
This doesnt make much sense.

If someone is worried enough about privacy - then why are they even logging in
via their Facebook profile in the first place? Realistically you would just
use a throw-away email account and then no one knows.

Secondly - as a developer - why would I want to accept anonymous logins? If I
did - then I can just let them create a username + password with no email
account instead?

~~~
yeldarb
As a developer I want to use this to persist and sync data between devices. It
provides a unique identifier I can use for the user before they trust my app
enough to want to login.

We have found that a significant number of users will just quit the app if
presented with a "sign up or login" with Facebook screen at the beginning of
the flow.

With this, they don't have to give us any personal data and can start using
our app right away. If they want to activate social features later it is
really easy to upgrade their token without having to worry about merging
accounts.

Edit: regarding the user side, the problem for a lot of users isn't that they
don't trust Facebook. It's that they don't trust the random app/website that
is asking for their Facebook data.

~~~
wnevets
>We have found that a significant number of users will just quit the app if
presented with a "sign up or login" with Facebook screen at the beginning of
the flow.

thats me 90% of the time.

~~~
acdha
Ditto – it's similar to the push notification / run in the background prompts
on first run, where I have nothing invested in the app and don't even know if
I’ll use it.

I like this because it allows the developer to solve things like unique sync
accounts and only ask me for more info after I've liked the app enough to want
to do something like share it.

------
chinathrow
Don't forget, that this is not so much anonymous towards FB. They have enough
tracking power (mobile and web) to link the dots.

~~~
meowface
Technically speaking, of course they do. Google can also read all your emails.

But I'm not sure Facebook would bother doing so. Hopefully the privacy policy
regarding anonymous login specifies what they will or won't track.

~~~
dec0dedab0de
It is in their direct interest to do so. They could use that information to
better target ads, and to keep an eye on the popularity of potential
acquisitions.

~~~
gohrt
It's not in their interest to get sued for violating their privacy policy.

------
clukic
This is a small feature change with a big marketing angle. Facebook has been
cutting the minimum amount of information shared when you "Connect with
Facebook" with each iteration of their API. At launch, Facebook literally
shared all of your information and most of your friend's information by
default with no way to limit it. Then they pared it back to selective requests
with a minimum of name, gender, and email. Then name, gender, and anoynimized
email. Then it was name and anoynimized email. And now it is just an token
specific to that site and nothing else.

They started by building what site owners and developers want - everything
about a user without having to build a complex form and have the user agree to
fill it out. And they ended up with what the user wants - to share nothing at
all with the site owner and fill out no forms.

My guess is this will be stupidly successful, and good for absolutely no one,
but Facebook.

~~~
TeMPOraL
> _My guess is this will be stupidly successful, and good for absolutely no
> one, but Facebook._

Why? I see it being very good for Facebook users. I'm very happy about not
giving any data about myself to random websites I want to check out just once.
I especially look forward for the amount of spam (er, value-added marketing
e-mails) it cuts out of the circulation.

------
smoyer
This is in no way an anonymous login ... Facebook knows exactly who you are
and what application(s) you're logging into. In fact, it's more data to mine
so they can serve you targeted advertising.

The proper term for this is "Federated Login". Most enterprises have some form
that's used for SSO.

~~~
iiiears
@smoyer You have no need to question citizen, Facebook coined a double plus
good term and you accuse them of pettifogging,redefining words, Newspeak.

------
fredley
This looks great to me, if it works as I imagine it does: use Facebook to
authenticate myself to services, but don't give them any information about me
- just an anonymous token.

I want to be able to use the convenience of Facebook login, but usually I
don't because I'm worried about how much data the app I'm authenticating with
has access to.

~~~
vitalus
They tell you exactly how much you're authorizing when you opt in to login via
Facebook, right?

------
TeMPOraL
For a Facebook user like me, this is awesome. It's really irrelevant how much
I trust Facebook (if at all) - I trust someone's random startup less. Giving
me an option to use something while not giving the other side enough
information to spam me with crap or milk me for marketing money is a win.

------
Aoyagi
OK, so I take it this is "anonymous" only for the application owner, Facebook
still knows exactly where you log in, when and whatnot.

So, and please correct me if I'm wrong, this is just logging in using Facebook
without (probably) sharing "any" data with the software provider, right?

------
guelo
This is for services that don't need to email users but want to remember them
across devices. You're lowering the barrier to entry somewhat but you still
have a barrier just to provide the cross-device feature. Why not remove the
barrier completely by just using cookies, and then later after the user has
created enough state, and is presumably hooked to your service, give them the
option to add the cross-device feature. You might even have enough goodwill at
that point to be able to ask them for their email without having to use
Facebook as a crutch.

~~~
declan
I think <guelo>'s advice above is sound. I learned this lesson myself after
testing early versions of [http://recent.io](http://recent.io) \-- there's a
high barrier to convincing users to type in an email address and password,
even if it's for personalized news recommendations across multiple devices.
It's not necessarily a trust issue -- it's simply a hurdle. Fortunately there
are other ways to do it...

------
greenjellybean
[https://en.wikipedia.org/wiki/SQRL](https://en.wikipedia.org/wiki/SQRL)

------
sushimako
I wonder if Facebook will release an according `Anonymous Mail` feature. A way
for site owners to reach their `Anonymous Login` users by sending
notifications, newsletters, etc right into their FB inbox.

This would surely attract site-owners by providing them with some kind of
communication-channel to their users which is important for acquisition,
retention, marketing and all that other stuff programmers usually don't like
to do :)

The user can unsubscribe/delete account with a click and never gets spam in
his inbox for sharing his contact details. Did Persona give away the email-
address to site-owners or were there attempts at something like described
above (even if persona were just to act as a proxy to your email via api)?

~~~
TeMPOraL
> _This would surely attract site-owners by providing them with some kind of
> communication-channel to their users which is important for acquisition,
> retention, marketing and all that other stuff programmers usually don 't
> like to do :)_

Yes, please. Give me a throw-away app-specific inbox but make sure that I can
completely ignore it. It's not only programmers that don't like "acquisition,
retention, marketing" \- as a user I don't like being subjected to it either.

------
csbrooks
I get how this works when I'm using a single device. But how do you identify
that you're the same anonymous account when you switch from one device to
another, without giving any personally identifying information?

~~~
laurencei
I'm guessing this is linked to your Facebook account. So Facebook knows who
you are - just the "3rd party" website doesnt

------
placeybordeaux
I think that for the people that do use facebook this actually does have a
decent value. Useless for people that are actually worried about their privacy
though.

------
simonw
This has been in beta since Facebook's F8 conference nearly a year ago. Has
anyone here tried it out in their app yet, or encountered it in the wild?

------
bluepill
I tried to apply for the beta but it requires a FB account, which I obviously
don't have since I want to stay anonymous ...

------
yk
How is this supposed to work? Does this create a temporary FB profile, and you
can then log in via FB's OAuth?

~~~
yeldarb
Basically. Facebook already switched to using "app scoped ids" last year. So
each app gets a different unique identifier for a Facebook user.

------
vitalus
I'm curious to see if we would see a lower bounce rate w/ anon login compared
to regular FB login.

------
lucb1e
I was so hoping for anonymous logins on Facebook, like they announced a little
while ago on mobile if I recall correctly (Rooms or something?). But it's only
for SSO.

------
valevk
This is solely made, because people are afraid to use facbook to login
anywhere, becuase they don't want their friends to know.

~~~
darkstar999
No, I don't want some random website knowing my name, email, and friends list.
This solves that problem.

~~~
rabbyte
Facebook created that problem.

~~~
bduerst
Websites were still requiring email addresses, mailing addresses, phone
numbers, etc. before universal login.

If anything FB is closing the loop.

~~~
rabbyte
I was there before Facebook changed the expectation. Obviously companies
retrieved this information in other ways before federated identity but the
idea that you can't get an app or a service without handing over your real
name and friends list is entirely on Facebook.

------
msoad
Note that the App don't know about you but Facebook know about you using that
app because they can see all the API calls.

------
higherpurpose
Should be "Anonymous" Login.

------
curiously
Why would I use Facebook to build an anonymous login function?

------
blueskin_
>facebook

>anonymous

Very funny.

"Sure it's anonymous, just trust us..."

------
JustSomeNobody
I spit my coffee.

Why isn't an entity with a more trustworthy past in handling privacy doing
something like this? What entity would even qualify?

