The goal of Facebook for login is to improve signup conversion rates for your sites and make it easier for users (so they don't need to re-enter all the same information and re-find their friends on every site they use). This thread is really interesting for me and the rest of the Platform team at Facebook because it illustrates how far we have to go. Please keep the feedback coming, however harsh :)
I get the brand perception and trust issues - it is something we care a lot about and are actively working on.
Beyond that issue, we have internally been talking a lot about ways of making the user experience smoother, more familiar, and less intimidating. If all of you running startups have practical suggestions about how the experience of a user using Facebook for login could be improved to help out your site, we would be really eager to hear it. It is a great time to get the feedback, as we are actively iterating on ideas internally.
I have a major idealogical problem with this recent trend of sites using Facebook connect. Don't take this the wrong way, but Facebook is a toy. People use it to share party pictures and play Farmville. I would just as soon trust a circus clown to be the central authority on my identity as you guys.
And when I visited a site for the first time to see my Facebook contacts there, without ever having signed up for the site in the first place, I got angry. Really, really angry. And then I got even angrier when I went through the 30 step process of turning off this "feature".
I don't know how representative I am of the population at large, but this stuff drives me nuts. Please stop.
Thanks for reaching out Bret. Some suggestions going in order from user focused to app/site focused:
1) Fix graph.facebook.com to respect user permissions. graph.facebook.com/userid publicly leaks real names and UIDs even when users ask to be non-publicly searchable. This is creepy and makes users nervous that they don't have control over their privacy.
2) Give users back granular control to explicitly disallow sharing of any info they wish to keep private. This includes their friends graph, likes, wall access, etc. (empowering them to have the choice will reduce the sense of lack of control).
3) Let the application/site owners describe what they intend to use the information for. Ideally hold the app to the contract as well. example: "Need access to your wall in case you explicitly tell us to publish/share something on your behalf - we will never post to your wall without your approval".
Anecdotal story:
I showed someone Quora 2 nights ago as suggested they sign up. She said "Why do they need my Facebook? No way!". When asked "why?", she said, "I don't want that site spamming my wall - who are they?".
My takeaway: If Facebook wants to be the login for the web, it needs to give people comfort that they have control over how an app/site behaves on their behalf.
User's are terrified that an app will spam their friends.
The users that aren't are pre-teens that don't care or older adults that don't know what spam is.
On one of our apps, we improved FB connnect usage by 50% by adding the disclaimer "This won't post anything to your wall or friends. We promise." under the connect button.
Developers need help reassuring user's that an app is not evil. The current FB dialogs are sterile and ambiguous and don't help.
I realize this might not be winnable because (1) many apps are trying to spam and (2) Ultimately, Facebook wishes users would share as much as possible.
I doubt my feedback would make a difference, but this is precisely why I stopped using Facebook and made sure to close my Facebook account entirely. Linking my web activities to my profile simply freaked me out, certain extent of anonymity is something I expect online and having Facebook cookies on my laptop made me feel exposed: I want to be just "old-gregg" when I see fit and creepy facebook integration takes it away from me.
Although I do appreciate you making yourself available to feedback in a direct ad-hoc way. Very unusual for a company of such size.
Thanks for chiming in here. At our startup we are trying hard to reassure users we're not going to misuse the Facebook access they're giving us. Even though we're asking for a fairly limited set of rights, the permissions screen that appears after the Facebook Graph login is quite intimidating. The design has a warning stripe across the type that is reminiscent of a danger sign, and combined with the copy, inspires a feeling of alarm. See http://developers.facebook.com/docs/authentication/ for a screen shot. It would be better if the screen were friendlier and less evocative of danger.
Additionally, the oauth tokens should be long-lasting by default. We originally set up our site to not ask for an extended-life token, because we wanted to reassure users that we weren't going to be posting things on behalf when they weren't using the site. But this ruined the user experience. A short time after logging in to our site, a user would initiate an action, but because their token had expired, we had to pop open a new Facebook login window, interrupting what they were doing. Users were annoyed at having to constantly re-login to Facebook. So we now ask for the extended life permission. While this improves the user experience, it adds another intimidating message on the Facebook permissions screen, implying we're going to be posting on their behalf even when they don't initiate it.
Happy to chat more about what we're doing and give additional feedback.
My fear is that by using Facebook Connect to log into Site X, I will somehow allow Site X to access my Facebook data (my info, friends list, interests, posts, etc.)
If I could be assured Facebook Connect was simply serving as an authentication service, and did not implicitly authorize sites that use it to access any data about me, or post to my Facebook page, I would probably use it for some sites.
Facebook Connect is a good feature, but has one big disadvantage: does not describe the interaction in a comprehensive way. I often connect and come up with the screen 'let publish on your wall' and, well, what does it really mean? That you'll post my every single action on fb? Some specific actions? A summary once per day? Will my wall get spammed? Should I trust you?
I don't like when things get complicated too much and that simple approach seems ok, but on the other hand, it lacks detail that would make users feel safe about using fbc. If 'publish on your wall' had specified settings for the webservices, it'd be much more effective.
Agree 100%! This is the main reason that I don't use Facebook Connect - I have no idea what a site will try to do in my name, nor do I have an intuitive understanding of what Facebook will let a site do in my name.
The funny thing is that I was going to leave this answer: "And your categories aren't mutually exclusive: I fall into all three of them and would never use a service that requires Facebook connect," but when I hit "post" (or whatever), a login screen came up with a big "Facebook Connect" logo, and I shut it down.
Maybe the login screen is part of the problem: I might've posted anyway if it had four fields: "User name" "email" "password" and "retype password." As it is, signing up sounds too invasive or too tedious to bother for a short comment.
What happens if you've created your account on lots of websites using Facebook Connect, and then one day you decide to completely delete your Facebook account?
I don't mean created a unique account on the site then linked your FBC (and Twitter, etc) to it, I mean actually created the account by registering on the site through FBC.
Do you lose all your accounts on the other websites too, or do they somehow remain even though you didn't create a unique userid, pwd, email for the account on those sites?
If you run a site that uses Facebook for login, when you log someone in via Facebook, you can ask for their email address via the "email" extended permission. Your site can then support a password reset page (like most sites already do) to enable those users to create a password via email if they decide to delete their Facebook account. Requesting email address is a good "escape valve" for users if you are concerned about this aspect of Facebook login.
FB Connect has a reclamation process or something to deal with this (theoretically), but the website has to support it.
As someone using FB Connect, we don't support it, and I'm guessing most small/medium sites (like mine) don't either. It's such an edge case that most people that fall in that bucket are SOL.
Have Facebook fixed the problem where people can't log in to your site using Facebook Connect if they don't have JavaScript enabled? I find that enormously frustrating - no other feature on my sites require JavaScript (though I use lots of JavaScript for usability enhancements), so adding it as a requirement for logging in really annoys me.
When a user goes onto Quora they are looking for information. Then, when they see the FB connect button, that goal of finding info suddenly becomes related to social relationships. Now the user has to switch mental contexts and think about the social impact of their decision. That invokes an emotional response when all the user wanted to do was quickly find an answer to a question (or at least explore a site that might have this answer).
I've done user tests with FB connect buttons. I've seen users actually pull their hand off the mouse and take pause when the button appears. It invokes a powerful emotional response in some users.
Some people, myself included, are wary of Facebook and don't have an account there, for various reasons. Privacy erosion, nasty tactics, spam are among them.
Now I'm not saying these issues are present in Facebook Connect, but I don't have the time to find out and I don't want to gamble that everything will be dandy in the future, especially with a company so removed from ethics as Facebook.
When you name a new product using your old and renowned brand (like Facebook Connect using Facebook), both positive and negative karma is inherited from the old brand. This also may explain why some don't like FB Connect.
And, if you use another company's product (like with Quora and FB Connect), you risk inheriting the consequences of its negative karma as well.
I think you really need to understand that there are people who use Facebook in a very different way from how you use it. There are those who, like you, don't care about their account. They have no personal information on there. They made it just for the sake of having a Facebook account, so they could feel as though they were participating in social networking. These people are fine using Connect because they have no investment in Facebook. To them, it's really no different than a scarcely used email account.
For others, Facebook is a very strong online representation of their actual real-life identity. They joined when they entered college. It became THE platform for staying in touch with friends from home and new friends on campus. Photos on Facebook catalog their entire lives from that point onward. They have literally more on Facebook than they do off of it.
Asking these types users to Connect with Facebook is no different than asking them to login to sites with real information only. It's akin to requiring HN posters to use real names for usernames, real contact info, include real pictures in their accounts, etc. This is something the vast majority of HN would not accept.
Quora wants to be a QA service where every account is linked to something real. That's how they intend to deliver a quality product. That's what makes them different from other QA sites. This obviously slows their growth, but they need to do this to make their site worth anything. Eventually, they will try to convince more and more Facebook users that it's okay to reveal themselves on Quora. Until then, we will just make the Facebook-account-equivalent of spam-only e-mail accounts, and use those for sites like Quora.
Imagine you really, really cared about your FB account -- only real-life trusted friends wre linked, you kept your profile free of spammy apps and them some q&a site wanted those credentials.
It's not a million miles away from asking one of us for our private keys.
I cannot speak for anyone else but I do not understand what doing so gives the website or Facebook access to, nor would I trust either party to change without notice that even if I was aware.
I can't be the only one who doesn't have a facebook account, because I believe that Facebook is a (potential for) waste of time on a massive scale.
I do have a twitter account, but honestly I don't want to use it to sign-up at other pages. If you don't want to handle user names and passwords, use openid.
I don't care about my FB account either, which is why I don't use FB Connect. If I start caring about a site that I access using connect, then I end up having to care about FB -- which I want to avoid more than I care to try various web app trinkets.
I love seeing facebook connect buttons because it means I will be logging into a site without touching my keyboard. This is a big win for when I am on the couch.
Doesn't surprise me that Twitter is very popular at the moment, I think when the site branches out a picks up more users outside of the tech/ startup crowd then that will shift more back to facebook. Anecdotally from what I've seen, not many people I know use Twitter but most of everyone I have met in tech/startups do.
The goal of Facebook for login is to improve signup conversion rates for your sites and make it easier for users (so they don't need to re-enter all the same information and re-find their friends on every site they use). This thread is really interesting for me and the rest of the Platform team at Facebook because it illustrates how far we have to go. Please keep the feedback coming, however harsh :)
I get the brand perception and trust issues - it is something we care a lot about and are actively working on.
Beyond that issue, we have internally been talking a lot about ways of making the user experience smoother, more familiar, and less intimidating. If all of you running startups have practical suggestions about how the experience of a user using Facebook for login could be improved to help out your site, we would be really eager to hear it. It is a great time to get the feedback, as we are actively iterating on ideas internally.