

Social login buttons aren't worth it - damncabbage
http://blog.mailchimp.com/social-login-buttons-arent-worth-it/

======
acabal
On a tangentially related note, developers, please remember that not everybody
in the universe has a Twitter account, or wants one. If you have some cool
product and I _must_ sign in with FB/Twitter, straight to the close tab button
I go and I'm not looking back.

~~~
henriks
When Spotify launched in the US, they disabled signups through their in-house
authentication system and required that new accounts be created through the
Facebook login. I never quite understood this, since I have a strong aversion
to paying actual money for anything associated with my facebook account..
Thankfully they kept the old login system around for existing users (and
they've since re-enabled sign-ups through it.)

~~~
sesqu
They were heavily pushing the social streaming aspect, and admitted to as
much. Letting other people know who you are listening to is a longstanding
tradition, and worth good money to Spotify (who never raked it in to begin
with).

~~~
henriks
I get that, but between the opt-out popups trying to trick you into
broadcasting stuff on facebook and disabling signups for the old login system
it got to be a bit much.

------
patio11
I agree with the conclusion, but the even more wildly actionable information
is that you can decrease CS costs and increase customer happiness by using
copywriting better than "That email and password do not match our records."
(Also, as a product owner with an engineering background, I have to come down
on the "In this case, prefer UX over security" side of the debate, since there
are numerous other options for divining existence of an account/email address
and refusing to tell the account owner that gets you no marginal security
benefit but does frustrate their use of your system.)

~~~
humbledrone
The thing I find pretty hilarious (sad?) is that many sites that give you the
generic "username or password is wrong" message are perfectly happy to tell
you that a username is in use if you try to sign up for a new account (geez, I
guess they sort of have to!).

~~~
cshesse
Maybe it should be "Username or password in use"

~~~
sesqu
The sad thing about that is that there have been actual applications with
actual users that require unique passwords.

~~~
bornhuetter
I was wondering recently if someone had ever done this. Do you have any
examples/links?

~~~
sesqu
TDWTF has several anecdotes. Try this, for one:
<http://thedailywtf.com/Articles/Uniquely_Secure.aspx>

~~~
bornhuetter
Thanks, that's hilarious. I can see someone thinking that unique passwords are
a way to make sure that people aren't overusing common passwords - and not
realizing that you are implicitly letting everyone know what passwords are
currently in use.

------
benregenspan
The title is total linkbait -- once you read through the article, it becomes
clear that all the author is claiming is that social login buttons weren't the
right choice for Mailchimp. They might be the right choice for others though:
"Sometimes it makes a lot of sense, and other times it’s just not worth the
trade-offs".

Although Mailchimp has a lot of users, it doesn't make sense to generalize
conclusions from one SaaS business to the whole web. A private SaaS dashboard
is a different use case from most consumer websites, where the goal of logging
in with Twitter or Facebook is generally to attach your public identity to
your posts or profile on the site, _not_ merely to expedite login. And
frankly, a private dashboard is a very strange place to add social login
buttons in the first place. Although the "what login did I use?" issue comes
up on consumer websites that make good use of social auth, it does so less
often, because if you connected a third-party account to one of these sites,
you did it for a reason and are more likely to remember.

~~~
mnicole
People seemed to miss this article when it was posted here when it was
published. Surprised at some of the comments; they seemed to only read the
headline before commenting as well.

Like I said then, the social buttons didn't work for MailChimp because they
implemented them after most users already had email logins. The article
dismisses a concept that is integral to onboarding users at _the beginning_ of
your service. When everyone has been using their email login for years, why
would they switch? I disagree with some of the people here saying these types
wouldn't use a Facebook login. _Lots_ of people use MailChimp; lots of people
that have no issue using a Facebook login (and don't understand the risk in
doing so).

This is a case of coming to the wrong conclusion with the wrong data.

------
TeMPOraL
> _What if Facebook or Twitter were hacked? Your social profile would be at
> risk (the sun would still rise tomorrow), but so would any other account on
> other services that are connected. That’s a little scary. Yes, Facebook and
> Twitter are good at security, but nobody, NOBODY, is perfect. Social login
> buttons delegate control of your users’ credentials to another service,
> rather than ensuring security yourself._

Well, nobody is perfect, but some are better than others [0]. Security is
hard. In my case, I'd trust services like Twitter and Facebook more than
myself right now (they have tons of good engineers and much more to lose in
case of a security breach). Like many other things, this is a trade-off.

[0] - <http://lesswrong.com/lw/mm/the_fallacy_of_gray/>

~~~
magic_haze
This is doubly true when it comes to Mozilla's Persona. I implicitly trust my
email provider more than any other site's login system (at least, the ones
that email password resets), so why not delegate to that all the time instead
of insisting on a different username and password?

~~~
StavrosK
That's why I love Persona, I wish it were more widely used (and by more big
names).

I actually got a little apprehensive about the security of the bridge, and
wrote my own IdP you can use for your own domain: <https://www.persowna.net/>

------
readme
Man, I'm glad to read some anti-social login stuff, as I personally do not
like everyone depending on FB. I've read articles on tech crunch which say to
ONLY have facebook logins for MVP, which made me cringe.

However, the key thing to realize here is that 3% of _mailchimp's_ users use
the social login buttons. That doesn't translate to 3% of _your_ users. One
app I work on is a social app for music fans. Most of our users hit the
facebook button. It's also mobile, so that might have something to do with it
as well (people might not want to type on mobile devices as much)

Takeaway: you need your own stats.

~~~
MicahWedemeyer
Exactly. Mailchimp has a very specific userbase, probably much closer to
Basecamp than Facebook. If you're in that camp (serving ads, tracking biz
finances, time tracking for freelancers, etc.) then Facebook/Twitter login may
send the wrong message, that you're fluff. But, if you _are_ fluff (music
sharing, video game discussion, daily joke email) then social login could be
very compelling to your potential users.

------
humbledrone
> Social login buttons delegate control of your users’ credentials to another
> service, rather than ensuring security yourself.

It is basically guaranteed that both Facebook and Twitter logins are more
secure than almost any website that might offer one of their login buttons.
How many websites have dedicated security engineers? Does mailchimp.com? I
doubt it (but I'd be impressed if they do).

The other arguments are pretty reasonable; of course if you don't want to put
another brand right in the middle of your login page, a social login button
might not be for you. But security is almost an anti-concern: it's probably a
win for your users in that respect.

~~~
prof_hobart
It's certainly possible that they may be more secure than a lot of smaller
sites, although that's not guaranteed - social media sites are fairly likely
to be more interested in agility than robust security.

What is pretty much guaranteed is that there's more people trying to hack
Facebook/Twitter security than most smaller sites.

~~~
TeMPOraL
> _What is pretty much guaranteed is that there's more people trying to hack
> Facebook/Twitter security than most smaller sites._

That, and the fact that they're still around means exactly that it is
guaranteed they are more secure than most of the smaller sites. Being a big
and valuable target to hit, they can only adapt or die.

~~~
prof_hobart
Not really. That would only be true if the hackers didn't occasionally have
success, like

[https://securityledger.com/that-facebook-account-hijack-
vuln...](https://securityledger.com/that-facebook-account-hijack-
vulnerability-is-still-dangerous-heres-why/)

or

[http://www.digitaltrends.com/social-media/twitter-was-
vulner...](http://www.digitaltrends.com/social-media/twitter-was-vulnerable-
to-password-theft/)

------
com2kid
For services I want to quickly try out once, if you just need a quick way to
authenticate, I will look for a Facebook login button and generally leave the
site if it doesn't have one.

Of course you also can't ask for any odd permissions either!

------
ctide
Did they consider that people tend to not use their facebook account for work
accounts?

Anything relating to my job, I use my work email with a password. Anything
personal, if I have the option, I use Facebook and don't let it to post to
anyone but me.

~~~
azernik
Perhaps Google login would be better for them then - it would work especially
well for companies that use Google Apps internally.

------
ww520
Would using Mozilla's Persona instead of social login be a good alternative?

~~~
siddboots
I was thinking this the entire time I was reading the article, and was
disappointed not to see it mentioned. Persona was invented precisely to solve
this problem.

Hopefully it will gain traction...

------
acanby
> _If you’re using Twitter and Facebook for signup too you’ve got a bigger
> problem. A user’s credentials are then bound to another account on another
> service that could be canceled at any time, breaking access to your app
> without the user knowing_

I'd never really thought about this. What do people suggest doing to handle
this sort of use case?

~~~
jmathai
I dislike Twitter login for this reason, you can't key off a user's email
address.

------
cshesse
What effect would having "Stay logged in" checked by default on the number of
failed login attempts?

------
NKCSS
While I agree (mostly) with the conclusions of the article, the reason social
login buttons exist, is that people want easy access to services without
having to fill out a bunch of stuff. Services like social login, persona and
other open id are a step in the right direction for solving that, but I think
it would be best if it were implemented in the browser. Specify how you'd like
to identify yourself to the web (or specific pages) and just add 1-click
confirmations. Can't believe I'm saying this, but Microsoft's InfoCard would
have been perfect for this :)

------
pewallin
Previous discussion from a couple of months ago:
<https://news.ycombinator.com/item?id=4603204>

------
blowski
It should be noted that MailChimp is huge. I have no figures, but I'm guessing
they have millions of users. This means that problems that affect 0.1% of
their userbase still represent a nominally large number of users. They don't
have problems like user acquisition and brand recognition.

For me, adding 'signup with Facebook' has increased the number of
registrations. I'll worry about the effect on failed logins when it proves to
be a problem.

------
argonaut
Even though I very much prefer having an FB login, and think that is much more
secure than having manual login (and thus having to remember passwords, which
most people will "solve" by the having the same password, which is really
insecure),for the love of god, keep your social logins down to 1-2 options, if
you must have them. Please do not throw in Facebook, Twitter, GitHub, Google,
LinkedIn, and the rest of the kitchen sink.

------
mifreewil
> _"But after some further consideration, we decided that it was a false risk,
> as the username reminder form already tells you if a username exists"_

The solution would be to close that hole, rather than opening the same hole
somewhere else. For example, for the username reminder form, if the username
can't be found for a given email address, then that can be conveyed to the
user by sending them an email message.

~~~
gman99
Well, how do you work around the issue of the New User Registration form
telling you that the username already exists?

I think it's better to assume usernames are publicly available information and
atleast get your UX right for the Login Form.

~~~
mifreewil
Good point. There isn't much you can do about usernames, but if the site just
uses email addresses as a login then you can protect that.

~~~
itsybitsycoder
Looking at the MailChimp site, I don't understand how that would make much of
a difference. Right now, you can enter emails into the "Forgot Username" field
and eventually hit a good one, but then you need to crack the email account to
get the username so that you can then stick that in the "Forgot Password"
form. Eliminating usernames, you click the "Forgot Password" link and enter
emails into the field until you hit a good one, giving you both the email and
"username" right away.

------
the_gipsy
I'll keep conveniently logging into a lot of services with social logins,
thank you.

To me, there is especially the case of using a social login to sign up for
just trying out a service, which I would not have done if it had meant going
through the hassle of filling out a form or even validating en email.

------
skeletonjelly
But telling the user that their username OR password is incorrect is good
practice though right? If you were trying to break in to somebody's account,
it would be better for the person breaking in to not know whether or not that
account exists, is a typo etc.

~~~
voyou
Is it really "good practice"? It seems like cargo-cult security to me.
Usernames are usually public anyway; refusing to reveal the existence of a
user name as part of the login process but revealing it elsewhere in your
application is pointless.

~~~
skeletonjelly
Take it to the extreme and think about banking. You wouldn't want to have a
system where you confirm and deny the existence of accounts for somebody who's
rotating through a brute force. SSH logins for instance do this.

~~~
polymatter
But if usernames are released publicly in forums, google crawled pages etc,
then an attacker already knows the existence of a subset of the accounts at
least.

For example, somebody attacking HN can crawl pages such as this one and
determine that 'skeletonjelly' is a valid HN user.

~~~
skeletonjelly
Sure, but I guess there's no one single security model that fits all
situations. I guess that's what I meant by "best practice". Obviously internet
banking usernames wouldn't be listed somewhere public

------
josephlord
<https://news.ycombinator.com/item?id=4603204>

From when this was previously discussed (originally published?)

------
daGrevis
What happened with people who logged in with Facebook and Twitter?

------
domrdy
Depends on your target audience imo. For a consumer facing product, If a
considerable size of your traffic is coming from facebook, it sure makes sense
to have that option.

