
Start ups, please don't force me to log in with Facebook - eof
I have been to a number of sites that I want to try out but give up when they force me to log in with 'connect with ' facebook.  I know most people have it, but some don't.  I don't.<p>You should really have your own authentication in my opinion, but if you insist on not, at least give me a few options.
======
rwhitman
I just came off of a project where we built the entire auth system on
facebook. No other regi options - just facebook.

I will never do that again. If that was to become the standard, facebook shot
themselves in the foot with their crappy APIs anyhow (see
<http://news.ycombinator.com/item?id=1731427> )

And I have a facebook account, and I'm really hesitiant to like or authorize
anything for fear of the author (or hacker) using it for malicious purposes or
Facebook one day making my actions public etc. I think a lot of folks are too.

FB may have been seen by some folks over the last few months as the magic
solution to universal social media authentication but I think its becoming
apparent that it is not. And thats a good thing.

~~~
CWuestefeld
_I'm really hesitiant to like or authorize anything for fear of the author (or
hacker) using it for malicious purposes_

I'm not quite as fearful for myself. However, if your application requests
access to my friends list, you've just struck out with me. Even if I'm
inclined to trust you, I don't believe that I have the right to make that
decision for my friends. I won't expose them to you, so you can't have my
business if you require it.

~~~
guelo
How do you know if the app requests access to your friends? Even if FB warns
you about this behavior (I dont think it does) how can you trust that they
won't change their policy in the future without alerting you?

~~~
cyen
You explicitly grant access for each new set of permissions - accessing a
friends list (and thus their publicly available information) is one of those
sets. If the site changes their policy, they have to go back to the user and
request permission.

~~~
lacker
This is false - accessing the friends list only requires "basic" permissions.

~~~
kingnothing
The friends list can be accessed without asking for permissions via the graph
API and an API key if your user id is known.

------
mycroftiv
After years of lurking on Hacker News, I finally created an account simply to
be able to post the _strongest agreement possible_ with the original post. I
do not use Facebook, and I do not wish to use Facebook, and I do not believe
that I should be treated as an Unperson because of this choice. If a site
wants to make certain its users/members are using their "real identity",
better solutions can be found than tying themselves to Facebook! I am a
hobbyist software developer and I prefer to host my own contact and
information pages. This is an issue I feel very emotional about - requiring a
Facebook account for the use of an unrelated service feels to me like a
personal insult. The implicit message that use of Facebook is now mandatory is
almost dehumanizing.

~~~
thenduks
This sort of attitude is not the norm in the general population (citation
needed? Ask your non-programmer friends).

No one is forcing you to use a site that requires Facebook, but obviously
(based on the comments here like yours) companies requiring it should probably
rethink this if their primary audience is tech-savvy geeks.

------
jrockway
I don't use Facebook. Incidentally, I adblocked "facebook.com" the other day,
and a lot of sites load much faster now. In three days, the rule has been hit
over 1300 times!

If I had a Facebook account, this would scare me.

~~~
rlpb
I use Facebook, so blocking it won't work for me. But I don't want other sites
to be able to "cross-domain" Facebook, since that gives Facebook more
information that I'd like. A way to block only "cross-domain" type Facebook
access would be nice. Or perhaps a per-tab private browsing mode.

~~~
jkmatila
I think the following Adblock Plus filter rule would do the trick:

    
    
      ||facebook.com^$third-party

~~~
buro9
This is what you want:

||facebook.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

||facebook.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

||fbcdn.com^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

||fbcdn.net^$domain=~facebook.com|~facebook.net|~fbcdn.com|~fbcdn.net

The key is to allow FB's CDN when on FB, but to disallow it and everything
else when not on FB.

I'm never on FB so this takes care of it nicely.

~~~
ben_h
Worked a treat, cheers.

------
yock
Maintaining a separate identity for every site across the web gets more
impractical by the second. I think most people would agree that a third-party
authentication service is a positive thing, but there seems to be a stigma,
earned or not, surrounding Facebook that makes people hesitant to assign that
responsibility to them.

I think ultimately it's going to come down to a paid, independent service.
Startups can't offer this kind of thing for free as there is no trust involved
in the transaction. Likewise most large companies have already traded away
their trust capital for various fiscal and political gains over the course of
their existence. No, there must be some legal recourse for the consumer for
the moment the authenticator screws up, and the only way to transfer risk in
that way is with money.

Probably the single biggest barrier to this is the widespread desire to
remaining anonymous on the web. The thing it seeks to combat is precisely the
thing so many value so greatly: maintaining multiple identities, personas,
existences on the web.

~~~
hapless
What's impractical about it ? I'm very comfortable with separate identities
per-site.

If your site isn't worth a separate identity, why am I interacting with it in
the first place?

~~~
mquander
I'm comfortable with separate identities per site, but it _is_ impractical for
most people. You have three general choices:

\- Maintain a separate login and password for every site. This requires a lot
of memorization and is a pain in the ass when you find yourself trying four
passwords because you forgot which you used.

\- Use password management software or a naming system that lets you keep
track. This is effective but is a bit much for a majority of people who do
not, and probably never will, use tools and reasoning to help them do things
on their own volition.

\- Use the same login and password almost everywhere. This is easy but is
shitty security.

You might claim that using a third-party authenticator is just like option #3,
but it's not. Option #3 above means that your single credentials are under the
control of the least secure site you use them on, so if someone cracks some
install of PHPBB version 0.0001 that you logged into, you're fucked. Using a
third-party auth provider relieves you from this worry. It even means that you
can switch at your leisure and start using a hardware generator or a long
passphrase if the provider supports it.

~~~
mike-cardwell
Choice. Let people choose if they want to use Facebook, or if they want to log
in directly. Allowing people to log in directly should be the minimum
requirement. Facebook should be an addon authentication system, not the only.

~~~
mquander
Oh, I think Facebook is much worse. I'm just pointing out that there really is
a problem to be solved; separate authentication for every site is not
obviously the best possible experience. Choice is a fine answer, if the
developers are willing to spend the extra time implementing and maintaining
the choices.

------
kylec
This is by far my largest complaint with Quora.

~~~
loyaltyspace
Agreed. I've lost track of how many times I've gone to a Quora answer, thought
'I must take a closer look at Quora', gone to the root domain, realised you
need a Facebook login, then just navigated away.

I even have a Facebook account somewhere - just don't like logging into
another site like this for some reason.

~~~
iloveyouocean
The inconvenience of finding/creating a Facebook account to use in joining
Quora is, imo, completely worth the value offered by Quora. You have to choose
your battles. At a certain point I would rather have access than have my way.

~~~
wvenable
I never bothered to sign up at stackoverflow because of OpenID. Not
necessarily because I have some philosophical issue with it, but because I
already have a system to maintain this stuff and OpenID is just another hoop
to jump through. Adding an optional user/password signup is hardly difficult.

~~~
jrockway
Honestly, I'd rather not give Jeff my password. So +1 on OpenID.

~~~
wvenable
What's stopping you from setting your password to jeff_sucks? It's pretty
memorable too.

~~~
StavrosK
Nothing is stopping me from setting my password to something different for
every site I don't want to set a good password for, I'd just very very much
rather just enter a URL and have everything work. OpenID is the most useful
thing online in ages.

------
wccrawford
I totally agree with this. I've seen a few things lately that wanted my
Facebook login and I just went away instead.

OpenAuth (via Google or plain) or private authentication would have been fine,
but those weren't options.

~~~
cmelbye
The main method of Facebook authentication these days _is_ OAuth (which I
assume is what you mean by OpenAuth.)

~~~
wccrawford
Actually, I meant OpenID. My mistake. ;) I've had both of them on my mind
lately.

------
stevenwei
Incidentally, requiring Facebook/Twitter on any iPhone/iPad app will
absolutely destroy your ratings.

Take the recently released Gourmet Live app for example:
<http://itunes.apple.com/us/app/id391597058?mt=8>

Although they made some especially poor choices in that app (you can end up
navigating into sections of the app that you can't get out of without giving a
Facebook/Twitter login, oops).

~~~
jonknee
I deleted Gourmet Live as soon as I saw it requires you to cough up Facebook
or Twitter logins to use fully. I have both but don't trust Gourmet to not
spam my friends. Facebook is especially hostile to privacy and I will never
use Connect.

------
aresant
We have two separate clients that spend big $$$ on AdSense driving new
customer acquisition that used single fb connect for login.

After the API issue last week both saw their 8+ LP scores dive down to 1! Lost
commerce for both over the past few days equals multiple tens of thousands,
still not seeing the scores recover.

~~~
newsisan
LP?

~~~
dshamrock
Landing Page

------
liedra
I think what is important here in the OP is the "at least give me a few
options". Amongst my group of friends there has been a "quit facebook"
movement in the last 6 months, and I can see why given the privacy issues that
have been going on there. I probably would have joined them if I didn't live
so far away from family and friends now. But really, it'd be nice to have a
few options; lots of social sites allow you to use them to authenticate
elsewhere, and things like OpenID which you can get from other places as well
as rolling your own if you want to.

The only time you should be really concerned about whether your user really is
who they say they are is if you are (or you are interacting with) some sort of
official government or similar entity that legally and officially requires
proof of identity. Otherwise it should be perfectly acceptable to have
multiple, disparate identities on the internet.

------
mike-cardwell
I've not seen any websites that _require_ a Facebook account to log in, but my
immediate reaction on seeing one would be to assume the person who implemented
it doesn't know what they're doing and can't be trusted with my data.

~~~
far33d
Why would you trust a website asking for an email and password more?

~~~
NewHighScore
Email is better because you are not locked into using some third party website
to log in. You can set up an email server of you own if you wanted to.

~~~
meatmanek
OpenID works great for this too-- you can create your own OpenID provider.

~~~
nuclear_eclipse
Even better, you can use your domain to delegate privileges to a third party
service. Eg, I have my personal domain leetcode.net delegate OpenID
authentication to myOpenID.com, but if for some reason I don't like that, or
decide to host my own provider, it's as simple as changing my domain's
delegation info, and I can continue to use the same OpenID url everywhere.

------
itg
For me it's more of a matter of privacy. I do have a facebook account but
still refuse to log into any site that wants me to connect with facebook.

~~~
awakeasleep
Sharing my connection information, some of my real life activities and
hobbies, and a few private messages with Facebook seems risky enough already.
When another company wants me to connect, my mind just balks.

~~~
natabbotts
Agreed. Knowing that the company requiring you to sign in can quite easily
access all the data stored by Facebook worries me greatly. Twitter logins I
have no problem with, as all my twitter info is public anyway (such is the
nature of twitter), so there isn't any damage that can be done. Facebook,
however, gives you no way of knowing exactly what it stores and shares, and
because of this I am simply too paranoid to log in with it.

The best login system is OAuth by far - it is secure, and doesn't have any
risk attached.

------
varikin
I recently integrated JanRain into a client's site and I think I will be using
it for future personal projects. It handles all the OAuth/OpenID details while
providing Facebook/Twitter/OpenID/LinkedIn/Yahoo/Microsoft
Live/Google/Wordpress/and more providers.

I would like to give people the Facebook option, but I myself, don't use it
unless I have to. Giving a dozen options via JanRain makes that easier.

~~~
michaelbuckbee
We've used JanRain as well, they do a nice job of abstracting away some of the
differences in the platforms, making it much much easier to support more
options.

------
mrcode925
Strongly agree. I used to use Facebook. I don't any longer and never will
again. Any service that forces Facebook connectivity won't get me as a user.

------
gregable
It seems like the reason websites are starting to do this is that facebook
authentication gives the developer more information than just an
email/credentials. The developer can access all of the basic data in the
user's profile and also grab their friend list. This means that later down the
line they can automatically connect friends together inside the developer's
own service without having to ask their users for that data, which as you know
means 90% won't bother. It's essentially a value add to the developer (and
much more debatably to the user) over other authentication options. I can see
the interest in requiring or at least encouraging users to use this feature.

~~~
gregable
Not that this means I agree that you as a developer should do this, just that
I understand. There are lots of hidden issues too - your service now has added
another third-party dependency that could kill you if they decided to break in
some way that you couldn't reverse from. Facebook now has all of your
user/traffic numbers which they can use against you if they ever decide to
compete with you on any front. In the future, advertisers can potentially
reach users you've pre-targeted without paying you and instead paying
facebook. The list goes on. It's putting a lot of trust in your relationship
with facebook.

------
olalonde
It's also very frustrating for everyone behind the great firewall of China.

~~~
mattmillr
Also, anyone behind a firewall at work/school/etc. that blocks Facebook.

------
dhess
Since OpenID is coming up a lot in this thread, I've been meaning to set up my
own personal OpenID provider on my colo box for a couple of years now, but
every time I look around for a free software implementation that supports SSL
client certificate authentication, I'm stymied. Does anyone know of one?

------
palewery
I have a fake FB account for this reason. It is amazing how many people will
friend someone who doesn't exist

~~~
binomial
If you put up a few photos of a good looking girl for the profile pic and a
random album, it's quite easy to get over a hundred friends, and not too hard
to get many hundreds if you post on a few of those friending groups.

------
Nervetattoo
It would be interesting to see HN-ers that use facebook auth in their apps
share some stats on how big percentage use it?

I too believe you should have your own auth system as a base, but maybe
someone can provide some numbers proving that it actually is a waste.

~~~
nano81
On my site (www.dipoll.com) I offer FB connect, Twitter connect, and regular
email/password registration. 95% of my users join with Facebook connect.

I may very well do away with Twitter and email registration. Some of those 5%
of new users might use Connect, and some might leave. That's fine. What I care
about is streamlining the experience for the vast majority of my user base.

"I too believe you should have your own auth system as a base, but maybe
someone can provide some numbers proving that it actually is a waste."

This is the way to look at it. Each service should test, analyze their
numbers, and make the decision that makes sense for them. Blanket statements
like "startups should never only use X for authentication" are just wrong.

~~~
saurik
So, this isn't a useful number for the OP (as it doesn't compare against a
direct email/password registration), but people may still find it interesting:

My application (an alternatie to the iPhone App Store) supports Facebook
Connect and Google Login (using OpenID). As I'm selling products, I can do a
direct revenue breakdown on the two services, which shows a 2:1 advantage for
Google accounts.

(If anyone is interested, the 2:1 Google advantage holds even if I control for
"in the United States"; about 50% of my sales are in the US, so I have a great
statistical sample, and the login breakdown for the rest of the world is
nearly identical.)

------
clr
I'll never require it, but clients want it. Demand it. Even if they can't
articulate why. We can strongly disrecommend it as a strategy and advise them
to why but I'm not walking away from business right now. Because if we refuse
to do it, someone else will do so gladly. At least we've tried to educate them
as to why it's a bad idea, and maybe some day they'll come back and ask us to
remove it.

------
bugsy
This has been bothering me for a while as well. I don't do facebook due to the
privacy problems there and general contempt for customer.

Many sites have complex authentication and identity management systems for
adding a simple comment. I don't contribute to these sites or return to them,
no bookmarking. Too much of a hassle. Studies done by topix and others have
shown that authentication does not increase the quality of posts. It's not
even clear why comments need to be authenticated anyway. If the visitor is not
purchasing something, there is no need to ascertain their true identity.

Look at both the hacker news and reddit systems for a reasonable example of
doing it right. Choose a name and password and you are done. For reddit an
email address is optional. Both of these sites are examples of places where
there is intelligent interesting discourse. The same can not be said for sites
with complex authentication systems.

------
markharrison04
I agree completely. The whole Facebook login thing is of no use to me since I
decided to deactivate my account 12 months or so ago. I am unhappy with
Facebook privacy and to be honest, the whole thing of keeping up with
Facebook, Twitter, LinkedIn, etc just became too much. Devise an authentic
login or lose me as a customer.

------
thenotself
I'd enjoy a 3rd party login manager that is a separate system from Facebook.
Some place where I can view all sites that I have authorized, manage my
communication settings, and keep track of who I've registered with. I don't
want facebook to know this about me.

I'd be more comfortable with Google doing this. It would simplify my sign in
process for new websites, reduce the number of accounts and passwords I need
to manage, remove the need for a password manager like 1password, and give me
quick access to disable or block access to sites I no longer want to have an
account with.

A startup could tackle this, but they would have to build trust and widespread
adoption.

------
atomical
TIP 2: Take what you need. Nothing like ripping all my details because you
need my e-mail address. I think twice about using your site when you want to
take a view of everything on my profile.

------
akozak
Is the perception that we will be nefariously ingesting your private data? Or
that FB auth is just a trend? Or just a mistaken assumption that all users
actually have a Facebook account?

~~~
easyfrag
Personally for me as a user it's because I don't trust Facebook.

I also think it is a bad idea to outsource your authentication mechanism to a
single private entity. What happens if your user deletes their account? What
if Facebook thinks your site exhibits suspicious behavior and decides to not
send along its users' authentication? Probably won't happen but if it does it
could be a world of hurt, much like PayPal.

~~~
saurik
For the record, normal users /do/ delete their accounts. Users also often have
unpredictable priorities, as they are complex people in their own right ;P.
Example: they may use transient e-mail addresses (assigned to them by their
ISP/school/work) and then get "locked out" of their Facebook account because
they forgot their password and can't fix it due to a new e-mail address.
Rather than going to the trouble to fix the situation, they may instead simply
create a new account, and take this as an opportunity to have a "clean slate".
Meanwhile, they may consider your website, which they might even be paying
for, to be critical to their lives, and now they can't log in anymore.

------
JulianMorrison
Facebook is an overly pervasive, cookie tracking, click hijacking, non-privacy
respecting nuisance. I have an account, but I only log it in from an
"incognito" window where it can't set cookies. And if your website wants my
Facebook, I regard that as an up front signal that you intend to trample all
over my privacy and exploit information (such as my friends) that is none of
your business - I won't sign up.

------
mike-cardwell
Surely it's easier to write your own authentication system than plug in to
Facebooks?

~~~
Aetius
No. It's actually very hard (to do correctly). Especially if your cloud
provider (AppEngine in my case) makes it even harder.

~~~
mike-cardwell
I've always found this one of the easier things to do when setting up a
website... And I do, do it correctly.

------
jbrun
I am starting a new site and want to avoid authentication.

In our system, two users are linked together for the purpose of our service.
We do that via unique URLs. Do you think it is safe to match up emails for
authentication.

i.e. when user 1 wants to get his profile, he has to input his email and his
partner's email. If he fails to do that then we do not pull up the profile.
Does this make sense and do you think it is secure enough?

~~~
jfager
Secure enough for what? The attack is simple: pick a target whose email you
know, and then start guessing emails of people you think they might have an
account with. This could be as easy as browsing to a website and entering
pairs of emails addresses listed on the "About Us" page, or ripping through a
person's Facebook friends or Twitter followers.

It might be fine for completely non-sensitive data, but for anything else,
probably not.

~~~
jbrun
Yes, the data is not that sensitive, but it is valuable. It is all about brand
preference and sizes for shoes and clothing. I just hate making users create
accounts.

------
saurik
"I forgot my username/password" is an immense burden on a small company. You
end up having to make horrible tradeoffs between privacy and convenience (how
do you really verify that this user is really this person?) and end up with a
serious support issue for a product that might otherwise not generate much
support email at all.

To be clear: even if it costs half your conversion rate, it may be valuable,
at least until you grow in size to the point where having some support staff
on hand is a non-issue, to force people to use a "well known" login provider.
The users who insist on per-site accounts very well may just not make enough
revenue to hire the support staff required to maintain them.

(Also, I think the privacy issues are seriously underrated: users often seem
to insist that you should be willing to trust From: headers on email messages
and that looking someone up by real name should be a common/valid way of
finding people... I'd much rather Facebook, Google, Yahoo!, whomever, has to
think about those issues rather than me.)

Edit: (typed on my iPhone, already fixed a typo)

~~~
synnik
Automated password resets are a solved problem. Either email a new pw or reset
link to a known address, or authenticate with "secret questions".

Both have their problems, but no small company should waste support time when
established techniques are available.

~~~
michaelbuckbee
The items you mentioned mitigate but do not "solve" the problem. We often have
users forget what email address they used when they first signed up (work,
personal, their kids email because they aren't a "computer person", etc).
Probably not so coincidentally, these same users are the ones that struggle
the most with basic computer tasks like opening a URL from an email, etc.

~~~
Hexstream
You can just let users initiate a request with their login name, no?

~~~
saurik
This assumes that something like their e-mail address is static: in the real
world it isn't. Normal users often use e-mail addresses assigned to them from
their ISP, school, or work, and think nothing of the fact that these are
needlessly transient identifiers. In practice you simply cannot automate the
problem "I forgot my username/password".

(EDIT: Oh, and I misunderstood your comment: no, you cannot have them initiate
the request with their username, because they probably also forgot their
username. I thought you were saying that they could initiate a request to look
up their username before looking up their password, which has the "no stable
identifier" problem I ended up going into.)

------
oconnore
There is no reason for the login API to be proprietary:

Universal Login 1.0 File:

    
    
        (ULAPI-1.0 (username "oconnore")
         (seed "a3k5...") (password-hash "pq3i...") (password-hash "ve83...") 
         (additional-information (eye-color "brown") (email "@.com") ...)))
    

To create an account on a site, you give the site your UL url, and your
password, and it associates the url with your user name in its database. Now
when you want to login to a site, you give it your user name, and your
password. The back end retrieves the file, hashes your password with the seed,
and if it matches a hash in your UL file, voila, you are accepted.

Cool benefits of this are that you can use separate passwords for your bank
and your twitter, and you can host your own ID (or pick someone you trust),
only allow certain servers to request it, dynamically generate a unique ID for
each site, etc.

------
loewenskind
Personally I don't like any of these global logon initiatives. I don't use
Stackoverflow because I never found a way to login without using OpenID. Since
I don't like a bunch of random web sites being able to connect me so easily,
to use Stackoverflow I would have to go to one of those openID sites and make
a fake account or set up my own OpenID provider. Both of these options are
extremely inconvenient. I'm used to having a different user id/password for
every site I have an account on so that's very easy for me.

I haven't looked into the technical details deeply but people keep talking
like OpenID is safe. I assume sites that use OpenID never see my user name and
password but what if the site _says_ that it uses OpenID but actually just
stores my user name and password? Would I have any way of recognizing that the
site was using fake OpenID?

~~~
sbierwagen
Perhaps you should try something before you dismiss it.

Sites you log into using OpenID never see your password. (For that matter, any
competent OpenID provider will never store your password in cleartext, so they
won't know it either.) The only thing the site knows is your OpenID url, and
when you sign in using that, it redirects you there, to enter your password.

Live example. I use myopenid.com to provide OpenID services, delegated via a
link rel="openid.delegate" tag on my personal site, bbot.org.

When I want to sign in via OpenID on a site, say, livejournal, I type in
"bbot.org". Livejournal looks at that site, reads the link tag, and sends me
to myopenid.com. I sign in there, and it sends me back to livejournal, now
logged in.

~~~
loewenskind
Ok, so browser phishing protection should prevent a hostile site from being
able to fake this work flow then, right?

In that case I guess I can live with it. I'll just have to go to the effort of
setting up my own openID provider since I still don't want different sites
tying my ID together so I'll have to set something up on my side.

This is all a lot more effort than it was before and I don't see any benefit
at all to how I use the internet. But thanks for giving a detailed explanation
of how it works. At least my security concerns are lessened (still,
compromising one site and logging passwords will compromise every site you use
this service with).

------
kentbrew
And if you absolutely must "connect" with Facebook or Twitter, please do NOT
ask for permission to update my account.

------
lallouz
Really the best solution for this is to provide as many options as possible.
You should develop your authentication services in a way that allows OAuth to
be used just as easily as a "custom login". In addition to that, anyone who
says that having "your own" login isnot worth the time to develop it is just
plain silly. It takes almost no time to develop and anyone who has been in the
web business for longer than 1 website knows this. As a startup I want to make
sure that I am not alienating any user from my service.

On that note, It is important to realize that certain sites or services on the
web require some sort of social graph integration that require a login with a
social networking account. In cases like this, you are developing an app for a
user base that is not on FB or Twitter and then (purposely) alienating the
rest.

------
gojomo
What would you think of a site that lets you use Facebook to login, or charges
a Metafilter-like token $5 fee?

~~~
loire280
Is the purpose of the fee to filter out spammers and trolls in the same way
that attaching your Facebook credentials creates some amount of social
accountability for your actions in the service?

~~~
gojomo
Yes -- a speedbump/proof-of-commitment.

------
FernandoEscher
Well, it's easier for user to register a page in an usual manner, why? Well,
because they have been doing this all the time. In a startup I'm working on,
we forced user to use a Google Account to login, then I ran a usability test
on my mom, her first questions were: what's a Google Account? Where is the
registration form?

Don't force people to user any third party login, instead, make them have a
choice to sync their openid or facebook accounts to have extra features like
facebook notifications, GCalendar and GDocs sync, etc.

Registering to an app must be easy, fast and intuitive. The use of third party
authentication service must be unobtrusive, and should not limit your
application, just improve it.

------
venturebros
The reason I got one of those vanity accounts that Facebook hyped up was
because I was under the impression they would use that instead of your real
name on various websites.

Turns out they did not go that route so I refuse to use FB login.

------
Void_
Agreed.

I found one service, where they have only Facebook login and it _doesn't work_
for me.

I wrote to them and the assholes just ignored me.

I think it's arrogance. I mean, Google Account would make sense. Many hackers
I know don't even have Facebook account.

------
careersters
If facebook deletes your account then you run the risk of losing your account
on other sties. I don't sign-up using facebook and so our site will have the
option to use Facebook but won't require it.

~~~
zoorroo
Has someone ever seen a site that would use the Linkedin API?

------
ori_b
I have facebook, and I don't want to link my various accounts to it. I don't
trust facebook to know what pages I log into. I already adblock all of their
"like" plugins and so on.

------
malandrew
Does anyone know if there are any premade projects or gems for rails that
include support for Twitter OAuth, Facebook OAuth, Opensocial OAuth and your
own authorization system?

------
doki_pen
I find no problem with OpenID. There are many free OpenId providers out there,
and if you really don't want to use one, you can create your own fairly
easily.

~~~
FernandoEscher
The issue is that it should be an extension for your app, not a rule. I think,
that the best way is to always do you own auth system and maybe improve it
using OpenId providers.

~~~
doki_pen
why?

------
code_duck
One reason I particularly avoid logging in with Facebook or Twitter is the
large proportion of sites that will abuse the authority to post whatever you
post on your FB/Twitter profile as well. Sorry, if I'm just signing in to
comment on a Twitter-shared picture or a news article, that does NOT mean I
want it posted on my message stream! I've learned the hard way to always use
Google/Yahoo OpenID auth instead.

------
davidedicillo
I can see the advantages of both the fb login and your own authentication. On
getappsdone.com we use our own authentication, but sometimes is really
annoying dealing with people who can't figure out their user or password, or
maybe they didn't receive the activation email and stuff like that.

On the other hand when I'm offered the change to login with facebook, not
always I feel comfortable giving access to all my data.

------
Sephr
I don't want to give you any control to my facebook account via OAuth, but
I'll gladly sign in with my facebook OpenID (if they provided OpenID, which
they don't). The same goes for Twitter.

This is a dangerous trend that encourages trading control over your
Twitter/facebook/etc. accounts for easy registration on possibly-malicious
websites. OAuth is not meant for this, and OpenID should really be being used
instead.

------
dzlobin
It's interesting that there is a constant, fairly large hatred for Facebook
connect.

What do you guys who are entirely not into FBC think about the last RFS?

~~~
manveru
Do I have to be into FBC to know what a RFS is?

~~~
dzlobin
Facebook Connect, Request for startups: <http://ycombinator.com/rfs.html>

------
harperlindsey
I agree, users should have options to login. I'm giving the option to login
with Facebook or Twitter, but users can also register for a completely new
account on the site. Hoping that this method creates the least barrier for
users that don’t' want additional accounts, but also provides a login option
for users that don't have one of these accounts.

------
portman
I have a site that requires Facebook to login.

For this site, user fraud is a big concern. I would much rather have an easy
way to tell if someone is a "real" person, and Facebook gives me that.

If my market size goes from 1.5B to 500M because of this decision, that's
fine. In our case, it's a calculated choice, like the dozens of calculated
choices a startup makes every day.

~~~
bl4k
I have two fake Facebook accounts that I use to sign in to services. I even
have a good rep on Quora using a completely fake name.

Forcing Facebook because you think it will give you real people and verified
accounts is wrong.

~~~
portman
Sorry if I wasn't clear. I'm not saying that forcing Facebook will 100%
eliminate fraud. But forcing Facebook can reduce fraud, by several orders of
magnitude.

Authentication isn't -- and shouldn't be -- a one-size-fits-all problem. For
us, Facebook has worked extremely well. (We originally supported Twitter and
OpenID but dropped them when it turned out that 100% of our fraud incidents
had authenticated with one of those two.)

That said, I'd love to know if our FB heuristics would "catch" you or not.
Email me your fake FBUIDs and I'll publicly post their score. We can all learn
something! portman.wills[at]gmail.com

~~~
bl4k
The accounts have nothing in common - not IP address, nor cookies nor names
nor friends or anything. With the fake accounts I just added fake friends
(Facebook was so kind to suggest them) and they approved me. I even wrote
'whats up' on some peoples walls and they replied. No idea who they are, seems
people just need somebody to talk to.

I am a bit of a privacy nut (multiple browsers, incognito, proxy servers,
VPN's, multiple accounts online (including this site)) and I intentionally
keep my person, work, online life etc. completely separate. So as interesting
as it would be for you to test my accounts, it means I would have to kill you
:)

~~~
mkramlich
> So as interesting as it would be for you to test my accounts, it means I
> would have to kill you :)

There needs to be a term for that level of secrecy/strictness when it comes to
online identity/authentication. A level so strict that if an identity gets
exposed or authentication mechanism is bypassed that somebody, somewhere, will
have to be killed.

Now I await eagerly for an HN reader from a three-letter organization to chime
in. ;)

------
Croaky
If your app only provides Facebook for authentication, do some Jakob Nielsen-
style usability testing and you might be surprised how common this complaint
is. That's been my experience on the most recent app I've worked on.

Startups love Facebook authentication more than users do.

------
timmy_k
I completely agree.

Options, options, options. The internet is all about options. This stems from
the fact that people would prefer to "Have it their way"... still waiting on
BK to deliver that.

When people online don't have options they feel alienated. It's the
expectation at this point.

------
espadagroup
This completely depends on the audience of the site. If I was building a
social site built upon the engagement of teenage girls, I would absolutely
force Facebook login, and the vast majority of them would not care/ be happy
for it.

------
fragmede
As an aside, Facebook rejects mail from the main mailinator ip, so you can't
use their domain for a fake email address, you'll have to find a different
service that does the same.

------
websurf90
Yeah, I totally agree.

------
rahooligan
I agree. It is best if they provide an option. So you can login with facebook
if you choose to. I use my twitter login more than facebook.

------
psyklic
When I try to log on via Connect on Groupon, sometimes it doesn't work or is
slow to log me in :P

------
Detrus
What about Twitter?

~~~
jat850
Just as bad, in my mind. But I could be alone on that.

~~~
natabbotts
I disagree. All your Twitter data is public* anyway, so it shouldn't be a
problem. And twitter makes it so much easier than Facebook to
disable/disconnect an app from your account.

*Unless you make tweets private. But even then, your followers and followees are still public.

~~~
jat850
It's not the Twitter data I care about, or what happens to the Twitter data.
It's not even the difficulty of creating a throwaway Twitter account. I just
personally prefer to keep all of my accounts segregated from each other, each
for their own assigned purpose, is all.

------
JMiao
not being on facebook puts you in the minority. consumer web companies aim for
the majority.

note: i am not on facebook

------
gord
I thought OAuth2 solved this?

------
keonnab
i need help to get on facebook at need to talke to my boyfriend someone help

------
binaryfinery
Yes: Don't force me to log in with facebook.

No: Don't force me to make another fucking password.

I have a whole shitload of passwords. I use an independent (not in the
browser) password tool. I'd really like to be able to generate a password and
login automatically: i.e. for my tool and the website to automatically hook
up.

Oh, yeah that's called OpenID: <http://openid.net/get-an-openid/>

And no jokes about my tool please.

~~~
jasonkester
I won't implement OpenID for any site where I have a say. It needs to die so
that something good can step into its place.

If you have a site that requires OpenID, I won't use it for the same reason I
won't use your site that requires Facebook. If you're going to implement it,
make sure you also implement a standard user/pass registration or you'll lose
a lot potential users (as in most of them).

~~~
hkr
Define "something good." You haven't given any reasons on why it sucks.

~~~
jasonkester
Something that lets me use my email address as my ID.

I can remember my email address. I can't even remember which openID _provider_
I used to sign up for StackOverflow, let alone how they expect me to form the
URL that I use for my login.

So once a month, when my cookie expires, I get to perform a forgot-password-
like action, where I dig through my email to find my username, then try
several combinations of it and claimid.net (or was it .org) until it lets me
in. But I'm not in. I still have to type in my username and password and,
click OK, then click OK on a second screen.

That's on the order of 10 more steps than it takes me to type in my email
address and password. I remember my email. And I can type it in 400
milliseconds.

The thing that replaces OpenID needs to understand that.

~~~
patd
Just put a delegate on a web page URL you'll remember. Like on your personal
website.

I use my own page and use the OpenId delegate meta-tag to point to the domain
that I also don't remember: [http://openid.net/specs/openid-
authentication-1_1.html#deleg...](http://openid.net/specs/openid-
authentication-1_1.html#delegating_authentication)

This way you only have to remember your own URL like:
<http://openid.mydomain.com> and the password that you've chosen.

~~~
jasonkester
Is that actually a serious suggestion? Is that what you'd tell your non-
technical users when they asked you what an openid was?

Sentences that start with the word "just" should describe something easy to
do. Like, you know, using your existing email address as your unique ID.

~~~
patd
That's not the suggestion I give to non-technical users, that's the suggestion
that I give to you that took the time to learn what OpenId is but complains
about it.

What I tell website developers is to add a login with Google, Yahoo, ... +
OpenId (Google and Yahoo are openId providers) and each will redirect users to
the correct OpenId endpoint (the one from yahoo, the one from google or your
own).

And I don't say anything to non-technical users. They will see a "login with
Yahoo" or "login with Facebook" or "login with Gmail" and they won't even ask
me questions about OpenID. The ones that know what OpenId is and have their
own custom URL will use it. Others will use the endpoints provided by Yahoo or
Google and won't know what OpenID is and they don't need to.

~~~
jasonkester
Have you done any testing to see how many users you lose by doing this? There
is, after all, a percentage of your users who will see your "login with Yahoo"
message and not understand what you mean, then leave when they can't find a
way to register.

You seem to think that number would be low. Experience with users &
registration leads me to believe that it will be quite high. I personally
don't plan to implement openID, so I can't do any testing. I'd be curious to
see what your numbers say.

------
Aetius
I'm sorry, but its just not worth expending the extra effort to get you signed
up to my service. I can get millions of people before it even starts becoming
an issue.

~~~
jat850
I feel that's a flawed attitude. It's like reverse entitlement.

Were I a startup founder, I would make it my goal to ensure that EVERY.
single. potential customer can use my site, within my capabilities.

(edit: I don't know why you're getting downvoted; you stated your philosophy
as part of the discussion, which I don't think is a good reason to get
downvoted.)

~~~
Aetius
It is my goal. But not right now.

~~~
mkramlich
I think you have the right goal, FWIW. For now. Because it's about priorities.
Especially for a startup.

When you're building a startup, in my experience you want to advance on the
narrowest front you can, as you build out the feature set and reach the
market. Don't provide 5 ways to do X if you can just provide 4. Or just
provide 1. Etc. There'll always be room in the future to iterate and add
support for additional use cases, additional integration points, and
additional polish. But you generally want to get to market fast, get real
users, real customers, validate your market assumptions and business model
assumptions, and slow or stop your burn rate before your runway runs out.

Saying NO to some things frees up additional time/money to say YES to others.
So you should prioritize.

------
GrandMasterBirt
+1. Same problem. I created a dummy fb account for these sites, but don't want
to actually get on FB ever.

------
tiber
Make a fake facebook profile. Fill it out as an Austrian Painter, interests
include politics, coups and you hang out at the beer hall. Weekend fun
includes bonfires and rabblerousing! You enjoy writing books about your
struggles.

You'll seem like a fun filled, lovable person. Who could hate you?

