

Why Facebook Connect Shouldn't Be Your Only Sign-in Option - dickersonjames
http://bijansabet.com/post/16980728547/why-facebook-connect-shouldnt-be-your-only-sign-in

======
Aqua_Geek
There's a good chance that if FB is the only sign-in option, I will
immediately close the window and never use your service. It's pretty much an
insta-bounce for me for the exact reasons cited in the article.

~~~
alttag
Me too, because I don't have a FB account. I actively avoid one. I'm being
excluded from marketing campaigns, contests, and give-aways because I don't
trust FB with my privacy.

~~~
tesseractive
I have a pseudonymous Facebook account with no one friended and no personally
identifying information that I keep around basically just for using services
that expect me to have a Facebook account.

~~~
pavel_lishin
You should probably be running something like Ghostery as well.

------
shawndrost
Here's my empirical stance: I've seen great conversion rates on that
screenshot, and I've never seen a compelling example of bumping conversion
rates through adding a username/password option.

Conversely, at the last place I worked, offering both options was the #1 cause
of customer support requests. People sign up through both paths, then ask why
everything is fucked. We ended up dedicating a lot of resources to a crystal-
clear UX to avoid this problem.

Finally, when someone signs up through Facebook, you're often able to offer
them a better product, because people empirically respond _really well_ to
their friends' faces, and everything else that comes with fb. Facebook
permissions also promote your business goals like woah.

I'm open to more information, but this article doesn't have any. "Giving users
only one way to sign in and FB as the only option is going to turn off a large
number of users"? I've reread that sentence several times and I can
confidently state there are no numbers in it.

------
tikhonj
I wonder if browserid[1] is a better alternative. It doesn't require a
Facebook account or anything like that and is actually surprisingly easy to
use (from the user's point of view). I only tried the demo, but it was
basically frictionless.

[1]: <https://browserid.org/about>

I haven't evaluated it completely, but it seems like the best option right
now.

~~~
rickr
This looks nice but it does seem like it's an extra step for users to go
through unless they are using this service.

Have you seen janrain? <http://www.janrain.com/>

------
antonlitvinenko
From user perspective having several sign-in options is a source of confusion:
first day I sign in with Facebook... next day I come in and don't remember
which service I've used to sign in with? And this time I try Twitter only to
see none of my data.

How do you guys solve that problem? I think, this might be even the bigger
problem than having 20% or 30% "drop out" on sign up process.

~~~
nknight
Isn't the obvious 80% solution a separate cookie that just says "this browser
last logged in using service X" that the server can use to give UI cues?

~~~
antonlitvinenko
With single device - you're right... but this becomes really a problem when
you expect your customers to use multiple devices: computers at home, at work,
smartphone, iPad...

how would you suggest your customer which login to use the first time she
tries to sign in on another device?

~~~
Drbble
Ask for username/email, then key off that. 80% solved.

~~~
rogerbinns
Would that be my personal email account, my gmail account, my other gmail
account, my university/alumni address, my work email or the other work email?

------
hexis
The Facebook connect image is somewhat misleading. Sure, using FB connect
_can_ involve a screen like that, but you can also present a simple screen
that only asks to "Access my basic information". Not nearly as confusing,
doesn't raise questions about surreptitious posting. You can ask your customer
for more access later, after you've earned trust in your relationship.

Further, some customer bases are perfectly happy using FB connect only. If you
object to logging in with Facebook, maybe you're just realizing that you're
not the target market for the product. No harm, no foul. If you end up
offering lots of log-in options and your customer base only really wants FB,
you waste development time and _actually_ run the risk of confusing your
customers.

------
feor
Facebook Connect shouldn't be your only sign-in option because some people
don't have and/or don't want to have a Facebook account. Simple as that.

~~~
Drbble
Some people are almost certainly not your revenue-generating customer for your
ad-supported social app. People who avoid advertising and social networking
are those people.

Mathematica offers a non-Facebook sign in. So does Safeway.

------
Xion
While I agree with the point that FB Connect should not be the only option, I
don't see promoting password-based authentication is beneficial here.
Implementing a traditional user&pass auth. scheme:

1) Is _really_ hard to get right from the security standpoint (
<https://www.owasp.org/index.php/Authentication_Cheat_Sheet> )

2) Actually requires quite significant work. It might be easy to add short
sign-up and login forms to a site, but I doubt that implementing any external
authentication mechanism would be really that much more work. However, with
password auth. the work doesn't end here. We typically need password
reset/recovery and password change. The latter usually entails some kind of
profile/settings page, while the former might require at least a dedicated
login page.

In general, external authentication providers are good, as long as we don't
limit ourselves to a single one. Adding Twitter / Google / BrowserID / Open ID
/ etc. is not that much more work, as the whole flow can be somewhat
generalized. Having multiple authentication options also makes us prepared
(from implementation PoV) for eventual support of user&pass auth., should we
need it in the future.

------
pamelafox
For my service at eatdifferent.com, I've offered both Facebook signup and
email-password signup since starting the site, and I put a bigger emphasis on
Facebook on the signup screen. Even with that, about 25% of my users use
Facebook, and the rest go for email/password. I also sometimes unite an FB and
email account so they can use either.

I think there's a danger in giving users too many options, because it's easy
for a user to forget which one they used, but there's also a danger in _only_
offering a 3rd party sign-in, as some users just won't be up for it. For me,
FB + email is the happy medium.

But yes, there's a lot of little things to implement when you have your own
user auth system. I'm using Flask, a microframework that doesn't have a user
system built in, so I've had to code basic things like reset-password and
change-password from scratch. Worth it, though.

~~~
palish
Hi, just thought you'd be interested in hearing about my experience with
eatdifferent.com. Please disregard this if it's unwelcome (sorry!) ... I
figured website owners enjoy hearing first impressions, but this is kind of
awkward. But on the off chance that it's useful:

Homepage: interesting concept. I like the clean design and the gigantic
"start" button + "take a tour" option.

Next page: A little annoyed that I have to basically squint to see the
alternative to Facebook signin. No, I don't want to join your social network.

Signup page: I'll admit, the number of fields to fill out gave me pause. I
almost exited out. But I'll grudgingly give it a shot. (Specifically: you
don't need my last name, it makes me feel like you want to sell my info. You
don't need my location. You don't need my birthday, and the years starting
with "1900, 1901, ..." makes me feel like you want to sell my info. You don't
need my photo -- if I like your site, maybe I'll give one. But we just met.
The lack of a "confirm password" box makes me slow down and carefully type my
password, and makes me feel like closing the website. This is all happening in
the span of about 3 seconds.)

Next page: Perfect; absolutely perfect. The defaults are spot-on, and the
optional infotext (question mark buttons) is nice.

Next page: Hmm.... Reminders? I don't really want annoying reminders yet; I
just want to see what your site is like. The lack of a 'skip this' button
would make me close the site.

Next page: You want me to spam my friends. No... thanks.

Next page: We're at step 5. It's now gone from cute to annoying. No, I don't
want to share my food logs with the world.

Done with the signup. Then you show me <http://screencast.com/t/NXMzgOjjR50q>
... it's not really clear what I should be doing next, or how it will benefit
me. I think there's probably just too much raw text. Separately, each element
is good -- "Prep your pantry", for example. And I like handy guides. But the
sheer number of things I could be doing next makes me close the page and hope
you don't spam me too much.

Apologies if this wasn't useful. I assume website owners like honest feedback,
and understand that my viewpoint != the average person's. I have no idea
whether your site is good or bad; I was just broadcasting my raw thoughtstream
as I went. For example it might be a bad idea to cut the "invite friends"
step, even if I am personally annoyed with it -- maybe it's valuable in
practice. I don't know.

Best of luck to you!

~~~
pamelafox
Just responded via email, thanks for the feedback!

------
ben1040
Someone please tell this to Spotify. It's a little infuriating that for the
last three months or so you may not be a member of their service unless you
have an active Facebook account.

~~~
alex_c
You think Spotify is going to cancel their sweetheart deal with Facebook
because some random blogger said Facebook-only logins are bad?

Of course, I would love to see some actual numbers on whether it was worth it
for Spotify (I suspect it was), but my point is that's a bit of a special
case.

------
NelsonMinar
Twitter vs. Facebook as the only options. It's as if OpenID never existed.
Which, sadly, may be nearly true.

~~~
jarofgreen
Outside the world of programmers and StackOverflow, I can't think of a single
site. Kudos to them for at least trying to solve this problem tho.

------
natasham25
We made our iPhone app FB Connect only, and only 50% of users who downloaded
the app actually signed in. To make things worse, we got a ton of one start
reviews in the app store from people who were really angry about the FB Sign-
in. Another bad part was that on mobile, FB sign-in doesn't work as well, so a
bunch of users who did click to sign-in didn't get through the process because
of an FB bug. So unless you're ready to loose 50% of your users, consider
other sing-in options.

------
sek
The services who use Facebook always annoy me with sharing requests, i don't
want to share anything stop asking. When somebody who uses Facebook Connect
only, i expect this in advance and often don't want to use the service at all.

With Google Login i never get those.

------
jgrahamc
Another reason: yesterday's poll on who has and does not have a Facebook
account showed that 38% of people here do not.

<http://news.ycombinator.com/item?id=3542976>

~~~
nknight
I don't, my parents, grandparents, aunts and uncles don't, my best friend
doesn't, several of my favorite past and present colleagues don't. There are
times I really wonder where Facebook's massive userbase comes from, and how it
can ever possibly occur to anyone, anywhere, under any circumstances, to make
Facebook the sole login system for their web startup that otherwise has little
or nothing to do with Facebook.

~~~
veyron
Given that there are ~ 300M americans and facebook has ~850M users, my guess
is that most of their userbase is overseas (and oftentimes falling prey to the
whole "americans use it, so I should also be using it" mentality)

~~~
k-mcgrady
For a long time Facebook wasn't available over seas. Facebook started with
only US colleges, then high schools. It only opened up to people outside the
US about 3 years ago I think so I would assume a large percentage of its user
base is american.

~~~
jarofgreen
False, Facebook was getting popular in my uni in the UK back in 2003.

~~~
Drbble
Impressive, since it didn't exist then.

~~~
jarofgreen
Good point :-) Getting confused about years, sorry.

------
patja
The article has many valid points, but the Topsy example is simply poor
execution on their part to request so many extended permissions as part of the
initial login authorization dialog.

Any Facebook authorization dialog that asks for all of those permissions in
the Topsy example is doing it wrong. It is not like you need to ask for all of
those permissions up front. Offline access and publish stream is a very
dangerous combination and should only be requested when a user is turning on a
feature within the app that requires them. Let the user in with the bare
minimum of permissions (user_about_me), build their trust, and then only ask
for more permissions as and when they are needed.

Plus when you cancel out of the Facebook authorization dialog on Topsy, you
get a 500 error response. Topsy fail on multiple levels.

------
jballanc
Facebook is AOL all over again. They are creating a generation of users who
will resist moving to a different platform, and a cadre of products that will
either find their fates hitched to those of Facebook or dependent on an
expensive (in terms of money and users) move away from Facebook at some point
in the future.

Personally, I like the Joel test for abstraction/outsourcing. Identify your
core competency, then go one layer below it in the stack. That's how deep you
should go in-house. I think for many sites/apps, user accounts fall within
this realm. That doesn't mean you can't interoperate, but don't be solely
dependent on FB.

------
AznHisoka
I never put a FB Connect button, but some people complain because they are
used to logging in with one. It's a pain because it's another platform you
have to support if you're a developer.

What happened to the days when you just had to implement a simple website for
1 browser, without having to worry about multiple browsers, supporting iPhone,
iPad, Android, and enabling Facebook/Twitter/OpenID logins, and finding
friends through facebook/twitter/gmail?

New technologies for consumers are great, but for producers who rather create
the next Facebook instead of using it, they can be a hassle to support.

~~~
estel
There was never a day when you didn't have to worry about supporting multiple
browsers.

~~~
AznHisoka
when IE was 95% market share?

~~~
djtriptych
This is actually a reasonable answer, having been around at that time. At one
point, if it worked on IE it went out the door.

Actually I know that "one point". It was when Mozilla completely destroyed
their browser platform with the horribly broken Netscape 4. Everybody stopped
using it immediately.

Back then it was like "does it work on ie" and maybe "should we build an AOL
presence?".

AOL then = Facebook today.

You're welcome, young people.

~~~
marshray
_if it worked on IE it went out the door_

How many of those companies are still in business, relative to their
competitors who chose instead to bet on cross-platform standards in the long
term?

~~~
djtriptych
If you were developing back then, you know there was a conscious choice
between using REALLY microsoft-specific stuff like .htc modules, and just not
worrying if your layout was perfect in Netscape 3. It was easy to not care for
a while there.

If you're developing now, you know how much time you save just not worrying
about layout in dying browsers.

------
stephth
This post reminded me to look for open source code to handle multi-logins, I'm
currently in the planning stage of a project. These seem quite comprehensive.
Is there any reason why I would be better off rolling my own code?

<http://www.omniauth.org> (Ruby/Rack)

<https://github.com/bnoguchi/everyauth> (node.js)

<https://github.com/ciaranj/connect-auth> (node.js)

~~~
radagaisus
If you actually need to use the user's Facebook information I suggest you use
Koala and the JS login flow, otherwise omniauth is a good solution.

On the node.js side - just look at everyauth and connect-auth examples - they
didn't even work on my computer! there's another lesser known library called
passport.js that does the job very well: <http://passportjs.org/>

------
acabal
Also, please don't make Twitter your only sign-in option. I've come across
lots of programmer-oriented startups that I'd like to sign up for, only to
find that I require a Twitter account. Well guess what guys, not every
competent programmer is on Twitter, or wants to be. PLEASE just let me create
an account on your system without assuming everybody on the planet uses
Twitter. (Or FB.)

------
RandallBrown
The reason people pick Facebook only is because they think that losing users
that don't use Facebook is better than having to implement your own account
system.

Authorization and account management is really easy to screw up. If you leave
it to Facebook, you'll save a lot of time. The only question is whether or not
it's worth it.

~~~
marshray
Surely there's a way to avoid implementing your own account system that
doesn't drag in the massive unrelated architecture of a Facebook, Google, or
Twitter. You don't even need SSO like OpenID.

Is there a company that just sells a no-frills user enrollment and login
service and also provides strict isolation between sites? (I.e., they resist
the temptation to leverage their aggregate user base.)

~~~
sopooneo
Wouldn't that pretty much describe any open id provider?

~~~
marshray
Well, when I look at <http://openid.net/get-an-openid/> I see Google, Yahoo,
Livejornal, Hayes, Blogger, Flikr, Orange, Mixi, MySpace, Wordpress, AOL...

There are six 'simple' providers listed. Spot checking: One of them has broken
SSL (<https://www.myopenid.com/signup> sources <https://api-
secure.recaptcha.net> which has an invalid certificate). One of them looks
completely broken for new accounts: <http://claimid.com/register> "This
account is hidden or does not exist."

And of course there's this: <http://www.untrusted.ca/cache/openid.html> which
describes various security and privacy problems with OpenID.

------
sarnowski
I am managing a portal which offers the possibility to use FB Connect (in
addition to own Login) and since you get no SLA from Facebook for their APIs I
only can warn everyone to use the FB-only login. FB API can be randomly buggy
for some hours without the possibility to get your users online.

------
untog
While I agree that FB Connect as the only login option is a bad idea, I also
don't think that the average user even reads the permissions dialog. We've run
a few A/B tests in the past of asking for different permissions- there will be
a decline when asking for more, but not a significant one.

------
alexchamberlain
I see Facebook Connect as a tool in the signup arsenal. Using it can
accelerate a users signup process, but it's should still initiate a proceedure
for creating a user in your own database. The user can then add Twitter and/or
openID (you do support them, right?) and signin how they see fit.

However, there is a security concern. Abusing other peoples Facebook/Twitter
accounts is quite common (frape for want of a better word). People do not sign
out of Facebook (I don't), so blindly allowing access to sensitive data like
this could be an issue. How about quickly asking for their password? Very few
will be offended, and those that are should be cut down to size with an
explaination of how security concious you are.

------
jasimq
We're testing having only Facebook login in our iPhone app, iQila
(www.iqila.com) and the number of logins fell about 80-90%!

Now we are going back to FB + Twitter + native but making our lazy login even
lazier and I believe that has the most bank for the buck.

------
jiggy2011
I think it depends on the app, if it's something that's basically an extension
of a social network then it makes sense to sign in with that.

Sometimes though I might want to use an app for work purposes that I don't
want in any way linked to my normal persona.

Or I may want to use something which I know will in no way interest any of my
friends and I don't want it posting anything for me.

Really, if I can't take the time to create a username/password for a site then
I probably wasn't that interested in using it.

------
lignuist
As much as I love Khan Academy, I hate, that they only offer Facebook and
Google as sign-in options. I try to avoid both of them as much as possible.

~~~
jedc
Would you prefer Twitter or something else? Or do you want a site-specific
sign-in?

~~~
ericd
Site specific signup, any day, with long lived cookie remember me. Way too
many companies view my FB credentials as a way to market themselves to my
friends rather than as a convenience to me.

~~~
lignuist
+1 Personally I find the whole idea of relying on a third party site for sign-
in a bit odd. Let it be Twitter, Google, Facebook or anything else... there
will always be people, who don't have an account for that specific site, don't
want one, or don't want to let the site's owner know what their name on that
third party site is. Another problem: aren't Google and Facebook blocked in
some countries like china? Again, the whole idea doesn't work out in my
opinion.

------
jdietrich
You should almost certainly use Facebook Connect as your only signup option -
all the data I've been privy to shows that the improvements in engagement more
than make up for lost signups.

I'll put you on my list of "people I will never do business with on
principle", but if I'm your target market then you've got much bigger problems
than that.

~~~
threedaymonk
I wonder (and I'm speculating, because I haven't seen the data you refer to)
whether there's a bit of selection bias here: the people who are likely to log
in via Facebook are already more likely to 'engage' (if I were being rude, I'd
say 'click on any old crap and spam their friends) than those who aren't, so
it's only a proportional increase in engagement, not an absolute one.

------
yonester
Totally agree. The ease of use and security implications are certainly
important, but how users perceive their privacy is essential to usability
(shameless plug: [http://nicelycoded.blogspot.com/2012/01/signing-in-with-
face...](http://nicelycoded.blogspot.com/2012/01/signing-in-with-
facebook.html))

------
Creyels
Besides the confusing modal, you should not do it, because of what Moot has
putten nicely:

“Google and Facebook would have you believe that you’re a mirror, but in fact,
we’re more like diamonds.”

Give them the choice if they want to create a new ID for your service or not.

------
olalonde
Another good reason is that you are closing the door to a 1.3 billion people
market (China).

------
sek
We have another reason right now:
<http://news.ycombinator.com/item?id=3550163>

When it get's down, you are screwed.

------
emp_
My current weekend effort needs the user birthday, I rather delegate that to
FB -- I do not know any other identity authority that does that (even if
flawed).

------
kuviaq
We let our users create accounts on our system or use facebook. 80% choose to
create an account on our system instead of using facebook (This is an iOS
app).

------
veyron
Is there a bugmenot for facebook (a slew of anonymous accounts that can be
used to get past these types of walls)?

------
yumraj
Another reason, no oversight in FB.

<http://venturebeat.com/2012/02/01/zuck-power-play/>

------
EGreg
This is the problem with centralization.

------
rokhayakebe
What is this strikethrough?

------
Craiggybear
I will never use such a site.

I haven't got an account and I certainly have no intention of getting one
ever.

Why would _anyone_ design a site to use an FB only sign-in? Jeez ...

------
dickersonjames
Thoughts on Twitter only sign-in compared to FB? More likely to use?

~~~
keturn
Unless your product is something that builds on Twitter's platform, I wouldn't
recommend it. It means your users don't have a choice about how they're
authenticated to your site, and

A) Failwhale, anyone?

B) Twitter doesn't provide serious options for protecting their users' login
credentials. It's the same username/password combo which is easily phished &
replayable.

Sadly, I've pretty much given up on the hope that we'll have a healthy
ecosystem of OpenID providers, but at least Google's login system does offer
some two-factor options.

~~~
djtriptych
From a dev's point of view I really feel that OpenID/OAuth is absolutely not
worth the headache.

I'd rather just go the hacker news model. Choose a strong password and if you
forget it, we send a new one to your email address.

Works fine, offloads a lot of security issues to email providers (who tend to
be good at it), easy to code.

~~~
icebraining
_I'd rather just go the hacker news model._

I use Hacker News with OpenID ;)

