Hacker News new | comments | ask | show | jobs | submit login
Amazon Announces Login with Amazon (corporate-ir.net)
163 points by wanghq on May 29, 2013 | hide | past | web | favorite | 92 comments

I was shocked to discover this is the canonical URL & domain for the Amazon press releases. After I clicked the link and saw the URL I initially thought this was some bizarre phishing scheme.

That being said, I think this is a great idea. I don't love the Facebook OAuth flow and the amount of access most apps ask for. I have trouble taking Twitter seriously as an OAuth provider [bias much?]. I think there are many US-focused companies who will be excited to have Google & Amazon as the two default OAuth authentication providers. If nothing else, it's much more adult than Twitter/Facebook. Oh, and Amazon has your credit card info and a great platform for SaaS billing :)

Regarding the URL: Amazon (and just about every public company in the US) outsources the investor relations portion of their site, because it is easier to do so than to integrate the feeds mandated by the SEC on their public site themselves (stock quote, press releases, sec filings, etc). There are 2 major competitors in this space, and the one that Amazon chose has these ugly URLs.

I'm surprised that they haven't made this better since that platform (phoenix) was designed in the mid-2000s. I presume that nobody really cares enough to put money into migrating it to a url scheme that is more sensible... the site exists to satisfy the SEC, and serious investors get their news/stock data from other sources anyhow.

>I was shocked to discover this is the canonical URL & domain for the Amazon press releases.

It seems like it is outsourced investor relations. Funny thing is that if you go to the bare domain, it redirects you to ccbn.com, which doesn't work because CCBN (Corporate Communications Broadcast Network) got bought out in January and apparently killed their domain too. That's pretty shoddy.

>That being said, I think this is a great idea. I don't love the Facebook OAuth flow and the amount of access most apps ask for.

You bring up a perfect point from a user's perspective and I agree with you. The challenge for Amazon is that there are two competing interests:

1. Users who don't want their entire life to be open to developers

2. Developers that want as much info as possible on the users

Facebook favors group #2 above, Amazon will probably favor group #1 above. If that ends up being the case, how many developers will be willing to utilize the OAuth service that doesn't give them as much info by default?

If Amazon were as ubiquitous as Facebook, we would.

In most situations where we've used a Facebook login, it's simply to avoid forcing the users to create yet another account. We don't pull any real data (except maybe a couple things, again, for their convenience - to fill out their profile) like their name. We push nothing back.

Being able to say "Hey, just login. We don't actually care about your information." would be much preferable to Facebook's unnecessary "This app is requesting permissions to access your profile and friends list." We don't need that information.

I guess maybe that's our fault for abusing Facebook integration by using it simply as a single sign-on service.

If you have any doubts about which customer Amazon is more interested in, just take a look at this new AWS service and the APIs


The URL is quite common among large corporations and is used by, off the top of my head, Gamestop and NVIDIA.


Yeah, but that URL behaves really weird, when you try requests for the domain without any actual URI at the end.

For example:



http://www.ccbn.com < I somehow got redirected there...



Some history for those that are interested:

corporate-ir.net is a utility domain that only exists to serve customized investor relations sites. The base domain itself actually does nothing. Think of it like github.io... www.github.io serves no purpose in itself.

phx.corporate-ir.net was a major upgrade to corporate-ir.net done around 2003, called phoenix. That's why there's the strange phx subdomain in front of the domain. Apparently that was the last upgrade they did to this service... and its neglect is most likely the result of a couple of acquisitions.

corporate-ir.net was created by a company called CCBN (ccbn.com). They were purchased in the 2000's by Thompson, which then merged with Reuters. Thomson purchased CCBN for a different product (not corporate-ir.net) that was strategically important to their business. So its not really a surprise that they haven't put much TLC into the way that the domains resolve -- this investor relations website business is peanuts compared to Thomson-Reuter's core competency.

If you have trouble with Facebook and Twitter, how is Amazon/Google better? They all have great engineering teams, but they also all make money on data mining – not the best feature of a login provider (2013-05-30: jrandomhacker successfully logged in to PersistentGenitalArousalDisorder.com … let's show some relevant ads next time his in-laws are near the computer).

I'd stick with Mozilla Persona.

I agree. I love OAuth idea and the single-sign on flow. I love having one source where I can go and see all of the sites that have my info, and I love being able to rescind my account from that central location.

However, I hate that Facebook/Twitter take it a step further with all of their social integration features to the point where many apps assume, by default, that you want to share share share everything you do all over your social network.

As I've found a number of apps/websites that do not allow you to continue without giving them permission to post on your wall, I've been forced to mark every single app/OAuth site on my Facebook as available to "only me". Post all you want, no one will ever see it.

Curating what gets posted under your name shouldn't be this much work. I shouldn't have to strive for a clean digital presence with content that adds something to my readers life.

I'd love an OAuth provider that HAS NO SOCIAL NETWORK!

And Google is out on this too, sorry, but Google Plus is obviously the only web property that Google cares about anymore and trusting them not to socialify everything is a fools game.

I'd rather use one with an exceptionally good security policy (including account recovery), realtime multi-modal notification, customizable settings (i.e. being able to ip/geo restrict, rate limit, etc.), etc. And maybe do groups, too.

Google Apps for Your Domain could be kind of like this, but isn't. Probably the closest, though.

Maybe someone like Dropbox/Box.Net/AeroFS?

This is basically exactly what I built https://www.persowna.net/ for. It's still in its infancy (as is Mozilla Persona), but that's where I want to take it.

Can I email you to talk about your needs a bit? It sounds like you have some good ideas.


Amazon does have a social network though https://kindle.amazon.com/, actually two now with the aquisition of goodreads

I though persona by Mozilla was basically this.

It is. It's unfortunate that more people don't know about it, especially since it's ridiculously easy to implement, well-designed and would save us all a lot of hassle.

If you're running a Django app, please add Persona integration. It takes around five minutes, literally.

I thought Persona was an _idea_. I personally haven't seen a single Persona login in the wild.

> I'd love an OAuth provider that HAS NO SOCIAL NETWORK!

GitHub, BitBucket?

Both are actually good options if you have a service with developer demographic (even if its just in part). I'm using Google & GitHub right now, and will likely add Amazon since it's very little work to do so.

I'd rather use Mozilla Persona based login systems than OAuth based ones. From both a user and a developer point of view, Persona is a very refreshing approach to identity instead of OAuth.

For those wanting to know more about Persona, check out https://login.persona.org/about

also since Persona is from Mozilla, you can see all the code and development and you know that privacy and user safety are number one priority.

I'm having trouble finding sites that use Persona as a login option. Does anyone have any examples? Trovebox seems to have a demo site up, but I was not able to actually log in to my account.

Two of mine:

https://rachelbythebay.com/store/ - just put this up yesterday - easy enough.

http://scanner.rachelbythebay.com/main - this one's been using Persona since it was called browserid. (Hit the gear on a call to see the login prompt - you only need the login for certain extended functions)


Click the "Log In" button at the top to see the Persona login screen.

And two of mine:

http://www.deadmansswitch.net/account/login/ (click "BrowserID login", my UX isn't great).

http://www.yourpane.com/ (click Persona without entering an email address, my UX isn't great).

Ditto. Why isn't HN supporting persona? :)

I wish HN would use persona!

Exactly. I hope so much that Persona takes off. It's a breeze to implement, taking barely five minutes to add to your site from scratch, versus the hours traditional sign up takes, it's decentralized (you can easily become your own provider, etc https://www.persowna.net) and it's very very convenient.

If you're making something, please please add Persona to the list of login methods. If you're currently using emails for logins, it's even backwards-compatible.

This is about the four horsemen -- Amazon, Apple, Facebook, Google -- and how Amazon is moving forward with Facebook and Google, and perhaps into the lead.

The true purpose of Google+ is to accumulate more information about you, not to be a "social network" per se. The latter is the means to the former.

Amazon has a huge amount of exceptionally high quality ecommerce information. They have "only" 200 million users, but info about what they actually like -- because they buy it -- not what they say they like. Plus, for search -- if you're searching for products/pricing, you might already use Amazon not Google.

Login helps Amazon extend information beyond ecommerce -- and potentially pull clearly in the lead in that regard compared to Facebook and Google.

Apple...has a problem in this regard. Excellent company in many respects, but falling out of the pack in this regard.

p.s. In all of the above I'm only talking about it from the company perspective. If you think it's not necessarily a good thing for a company to have even more complete data about you, I wouldn't argue with you.

Apple doesn't even know how to offer an analytics tool for app developers.

Alright, but the question is "why would someone want to log in with Amazon"? There's no social network attached to your Amazon account. It seems like it would be an odd choice of identity provider, unless you are a store and already using Amazon's fulfillment services.

For some reason it strikes me as a pretty good idea. Upon further reflection, I think it has something to do with:

- Trust -- people increasingly distrust sites like Facebook or Google (privacy concerns), but Amazon still has pretty much entirely "positive" feelings for consumers. And if they can run AWS as well as they can, then you assume you can trust them with your password too

- Micropayments -- your credit card is already linked to your Amazon account, presumably, so it suddenly enables you to pay for content, etc. on a wide range of sites where you might not otherwise, due to friction and trust issues

It's funny... for some undefinable "fuzzy" reason, I feel much more willing to log into a site using Amazon credentials, than I would with Google, Facebook or even Apple.

That's probably because you're a paying customer rather than a pair of eyeballs to them.

Right. You're the customer, not the product.

Absolutely agree - I'd love to be able to use my account on other merchant's sites without having to enter cc info.

> "why would someone want to log in with Amazon"?

> There's no social network attached to your Amazon account

I think you answered your own question.

This. I avoid accidentally posting some garbage to my facebook wall.

I'll finally start using "Log on with" if I can use Amazon.

Assuming Amazon's endgame is optional integration with their payment/delivery platforms, there's certainly the hypothetical possibility of accidentally purchasing from confusingly designed sites you'd never give your cc details to though.

Since chargebacks - unlike social spam - cost money, Amazon has every reason to be more cautious about their permissions and confirmation screens, but the wary user probably isn't unjustified in hesitating when asked to sign up for a free service using a login they normally use to buy stuff with.

But might you now have to put up with Amazon targeting even more ads and recommended products to you based on the various sites you've logged into using their service? :/

So your complaint is that the ads you see will be more relevant to your interests? Really?

My complaint is the payment for the login service through the use of my behavioral data I'd rather keep private. I have never clicked through an ad to purchase anything. I dislike seeing ads that are clearly based on my behavior but don't understand the intent of that behavior (i.e. showing me ads for generators because I looked at a few on Amazon to compare the stats to the one I already own). I also dislike seeing ads in general because they are not a useful feature to me. I'd prefer to pay for features in a more direct and favorable (to me) manner. I also dislike the concept that targeted ads are in some cases specifically designed to influence my attitude toward brands and provide me with information that may not be absolutely true but which they will hope I internalize to influence my future purchasing decisions.

Obviously, this is my personal preference, and I do understand that ads can be a useful revenue stream for companies targeting other users with different profiles from mine.

There's not a social network, but there's a "money" network attached to your Amazon account (i.e. your credit card) From the article:

>> "over 200 million active Amazon customers"

That's 200 million verified credit cards of people who are comfortable with ecommerce. There's arguably some value in that.

Why? Because there isn't a social network attached to it. I don't have to create another username/password and I can possibly avoid entering credit card details into another site if I decide to do business with them. Why not is a better question.

What does a social network have to do with it? I thought that logging in using a third-party account was simply a way to ease signups and limit password/account explosion, nothing to do with "social" anything. Certainly that's how I use it.

Have a quick look through the comments of the letsbeamigos.com show HN:


All of which seem to be saying the opposite of the comment I'm responding to: not having a social network is a bonus.

If I was selling something I would want to use Login with Amazon. This press release doesn't specify, but potentially they could add a one-click purchase API, which would be very nice.

This is the sort of thing I was assuming as well, if it let you tie in to doing purchases via amazon's payment API (though I'd still expect another request for password during purchase, but it would pre-assume account) could be useful, if leveraged correctly.

amazon wants you to do so for advertising purposes, and this is particularly important given the implications of firefox's 3rd party cookie policy / dnt. Amazon is actually quite a large ad vendor: they allow you to retarget based on purchases and because they've run out of inventory on amazon proper, they buy on exchanges. Running a login system means they can track you around the internet, and this nicely dovetails with ff's new cookie policy since amazon will most likely be on of the sites you've visited and hence a permitted 3rd party cookie. This is a valuable dataset for an advertiser, and even more importantly, will allow 3rd party targeting to continue to work.

This is also why fb / twitter / G run 3rd party login systems.

Personally, I don't like "login with facebook" everywhere, because every site wants permission to "post to your wall" even when not logged in, etc... Personally, I find this unconscionable. I find the same thing happens with Google these days for single-signon... I'd much rather have a common/popular oauth provider that does NOT have a social integration piece. I don't want invites to every game you play, and don't want them sent out to my friends.

Google was really close to this for me before the Google+ thing. At least with amazon, acting as a purchase gateway is an additional bonus.

I don't have up to date addresses and payment methods anywhere else, besides PayPal, but I'm far more active on Amazon. That's a great way to turbo charge sales.

I think you have to integrate that separately:


on second look, it's just a login system, no payment integration https://images-na.ssl-images-amazon.com/images/G/01/lwa/dev/...

I hope payment integration is at least on the burner, though. It seems like an obvious addition -- if the customer is already logged in to your site through Amazon, why not let them bill their Amazon account for stuff on the site?

Amazon certainly isn't averse to third-parties using their infrastructure; in fact, they've encouraged it. Kindle Direct Publishing, their third-party seller program, all of the AWS offerings...

Naturally, Amazon is going to want a cut (which is a perfectly reasonable thing for them to expect, don't get me wrong).

At the same time though, a login system offered by an e-commerce company is a huge step toward one-click payment integration.

I'm not too sure, for my purposes. I was trying to think of some ways we could use this, but I'm just not seeing it. Perhaps I'm misunderstanding, though.

Can anyone provide some neat examples for cases in the context of web applications? Their mobile app examples didn't really speak to me.

Login with Amazon. Now the person has one-click purchasing power. Or most likely, a credit card on file, which is more valuable then a Facebook profile without any CC on file, especially in the context of a web application.

That makes more sense. That would be pretty neat.

Because it's not Facebook.

You can also integrate this with your own apps via AWS / IAM:


I'd prefer Mozilla persona. Amazon as well as Facebook and etc. aren't trustworthy - they are tracking your activity and using them for external logins sounds like a very bad idea.

I get Facebook. But why is Amazon not trustworthy?

How are they different from Facebook? They also have behavioral targeted advertisement.

Amazon is all about e-commerce, and their partners are reporting a 40% adoption rate for new signups? That sounds way higher than facebook's oauth ... if this continues, Amazon could be an awesome platform to build a business on! They also have a credit system now -- and inventory!

I think this could be really interesting. In my opinion, Login with Facebook creates a little bit of anxiety for customers. Everyone has been burned by unanticipated sharing & with this there is no social network to share to. I need to read the documentation (from a quick glance) it didn't seem like allowing people to checkout with Amazon on your site was possible but I bet that isn't far behind. That to me could be great if they are reasonable on commission rates.

The more the merrier. I only feel comfortable using my Twitter log-in, and I don't have any privacy reservations with Amazon either.

Yes. Amazon itself is undoubtedly data mining your purchase history, but at least they're not spewing your personal info to every random Serfville/PirateWars "games" that one of your friends signs up for (yes, I know that you can turn most of that off, and I have; most people don't).

Everything I've heard and experienced indicates that Amazon is pretty tight with customer information. Certainly you don't get any personal information on customers when you sell ebooks through the Kindle store. Apple is also pretty good about that.

My main problem with these (as user) is that I usually have hard time remembering which sign-on system I have used for a particular site. Twitter? Google? Facebook? Username and pass? Amazon?

In most cases what I would truly like to have is a option to order a sign-on link to my email that would be valid for single use and just for some minutes.

I think this is really great! As a customer, I'd much rather sign in with this than Facebook or Twitter, as then I know there would be no social side-effects - e.g. posting on my behalf or similar - which is sometimes anxious making when confronted with a social login button. This separates easy sign-in from social sharing.

I'll echo what some of the other commenters are saying, namely that for anything e-commerce related (and I'd argue SaaS-type software) this method of login makes most sense. If you were going to sign up for a free trial of something or create an account at a store, would you want to login with Facebook or Twitter? Or Amazon, whom you likely already trust with your money. The latter I'd say.

On the other hand, if I have a social or news/content site, FB and Twitter login makes the most sense. That way I have access to their social graph as well as an indentity.

Anyway, this is pretty cool. I think I'll integrate Login with Amazon with my startup (mariposta.com) pretty soon, as it very well could lessen signup friction. We'll see.


Pretty soon I'll go to "thenewestwebflatdesignstartup.com" and I'll be given these choices:

Login with Facebook, Login with Twitter, Login with Amazon, Login with Persona, Login with OpenID

or create an account with email

Click here if you have no idea what account you used.


I'd rather use Amazon than Google or Facebook, but I'd rather use a site that only did identity than any of the rest. (I don't want access to my Kindle books screwed up because Amazon decided I did something wrong when using them for login, and banned my account. Yes, that reminds me that I need to backup all my Kindle books monthly.)

I don't know what the business model for such a site would be, though.

This is excellent, as I would love to have a shared login provider whose business model does not revolve around sharing my information (e.g. twitter, facebook, google). I really don't want everyone on my [friends list equivalent] to know every time I create an account anywhere on the internet, and I feel like I'm always one privacy setting away from that happening.

Seems like a great idea and a signup option that will spread quickly. Mostly because Amazon accounts tend to be linked to payment options already so you essentially add people who are used to and willing to play online to your site.

I hate Amazon login where I can't reuse any old passwords as a new one or even as part of the new one.

It makes it just impossible to remember your login when you reset it a few times, because you need to learn a new one.

why are you remembering passwords?

Can this be used for taking payments quickly from users?

OAuth is for authorization, not authentication. Please stop using it like this. If you want SSO-style authentication using OpenID or SAML2.

Unfortunately I think that ship has sailed. Personally I'm hoping Persona will catch on. At least that's designed as an authentication scheme.

What problem does it solve that OpenID doesn't? OpenID already has a lot of adoption, and IMO works quite well.

OpenID is great, but I somehow just don't expect it to get that much adoption on sites where "Sign In With Facebook" is the default. Whereas I have at least some hope that Persona might become that common if Mozilla play their cards right.

It seems that Login systems is becoming a fragmented space, there's Persona, Google, Oauth, Wordpress, etc. and now Amazon.

So when are Amazon payments coming?

I just used Amazon payments today to buy the new Humble Bundle.

They're kind of under the radar, but it's a pretty good system, actually, as tons of people already have Amazon accounts.

...This feels more like OpenID rather than OAuth. Could someone explain? I'm so confused.

People apparently think that OAuth is Open Authentication not Open Authorization. I think that ship has sailed, unfortunately. Although it still confuses me when I go to log in to a site and I get the pop-up about "Do you want to authorize this application to access <X>?"

I understand that this is a good idea for Amazon because it is good for them to keep people within their ecosystem, but this is what I think of whenever someone announces a product that has already been made several times: http://xkcd.com/927/

I wish I could OAuth with my hn login!

This could be a game changer for web payments and the built-in A/B testing sounds cool but I couldn't find any details in the docs.

Won't be using this.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact