There's a good chance that if FB is the only sign-in option, I will immediately close the window and never use your service. It's pretty much an insta-bounce for me for the exact reasons cited in the article.
Me too, because I don't have a FB account. I actively avoid one. I'm being excluded from marketing campaigns, contests, and give-aways because I don't trust FB with my privacy.
I have a pseudonymous Facebook account with no one friended and no personally identifying information that I keep around basically just for using services that expect me to have a Facebook account.
I have FB blocked on my research computer from 9AM - 5PM. If I come across a site like this during the day, then I can't singn-up or login, so I usually head away quickly.
That's a shame. I really think IT ops should learn to trust their employees and only when that is broken, managers should decide how and when it is appropriate to block such sites.
Ditto. Sure, a lot of people prefer the convenience of being able to log in without creating another account and password, and will just click okay without looking at how many privileges the app is asking for; so having a FB (and Twitter and Google and ...) login option can streamline things for them. But when that's the only option you're going to lose a big chunk of your potential users right off the bat.
Has anyone run some A/B tests and gotten stats on how different subscription rates are with multiple log in options? I'm curious as to exactly how much it matters.
gtrot.com started with Facebook-Connect login only. We didn't allow any access into the site unless you created account. The primary reason for this was that we used Facebook data to show you where your friends lived, where they've been and allowed you to connect with them on gtrot (through Facebook) so there was no "empty room" feeling when you started.
With our latest updates in November, we allowed a 'generic view' --- a user can search what's happening in a city without logging in. We've put in educational messaging and explain why the Facebook connect is important to being able to personalize results. Based on what you like, what your friends like, where you've been, where they've been etc. The data is core to the experience, but some people still don't want to give access to Facebook. We did, however, see our bounce rate cut in half when we provided a generic view. Customers were spending more time on the site (upward of 5 minutes) and even returning to use the site without the account.
I think the key is giving clarity, but this is a topic we've gone back and forth on as we don't think we can deliver on our promise of 'personalized advice in any city' without having the Facebook basis. We'll be changing this over time but for now, it's generic or Facebook account.
I love gtrot. My last trip to vegas was planned around it. While I agree that facebook is the fastest way to get to "personal" I think an option to create your own version of "personal" by ranking the suggested activities of other users who share similar tastes would be equally effective.
That's an interesting idea. Kind of like a ghost account? Or what if you logged in with email only and then auto-followed the founder/popular members so you still get rich, person-centric advice?
Would a google (oauth) login in additon to Facebook connect solve the problem for most users OR is it necessary to also have an option to register an account?
Here's my empirical stance: I've seen great conversion rates on that screenshot, and I've never seen a compelling example of bumping conversion rates through adding a username/password option.
Conversely, at the last place I worked, offering both options was the #1 cause of customer support requests. People sign up through both paths, then ask why everything is fucked. We ended up dedicating a lot of resources to a crystal-clear UX to avoid this problem.
Finally, when someone signs up through Facebook, you're often able to offer them a better product, because people empirically respond really well to their friends' faces, and everything else that comes with fb. Facebook permissions also promote your business goals like woah.
I'm open to more information, but this article doesn't have any. "Giving users only one way to sign in and FB as the only option is going to turn off a large number of users"? I've reread that sentence several times and I can confidently state there are no numbers in it.
I wonder if browserid[1] is a better alternative. It doesn't require a Facebook account or anything like that and is actually surprisingly easy to use (from the user's point of view). I only tried the demo, but it was basically frictionless.
From user perspective having several sign-in options is a source of confusion: first day I sign in with Facebook... next day I come in and don't remember which service I've used to sign in with? And this time I try Twitter only to see none of my data.
How do you guys solve that problem? I think, this might be even the bigger problem than having 20% or 30% "drop out" on sign up process.
You'll probably see that you don't have an account registered with the website through Twitter, not "none of my data". As a user, if you like FB more, you'll likely try FB login first. If you like Twitter more, you'll likely try Twitter login first (if available).
With single device - you're right... but this becomes really a problem when you expect your customers to use multiple devices: computers at home, at work, smartphone, iPad...
how would you suggest your customer which login to use the first time she tries to sign in on another device?
Would that be my personal email account, my gmail account, my other gmail account, my university/alumni address, my work email or the other work email?
The Facebook connect image is somewhat misleading. Sure, using FB connect can involve a screen like that, but you can also present a simple screen that only asks to "Access my basic information". Not nearly as confusing, doesn't raise questions about surreptitious posting. You can ask your customer for more access later, after you've earned trust in your relationship.
Further, some customer bases are perfectly happy using FB connect only. If you object to logging in with Facebook, maybe you're just realizing that you're not the target market for the product. No harm, no foul. If you end up offering lots of log-in options and your customer base only really wants FB, you waste development time and actually run the risk of confusing your customers.
Some people are almost certainly not your revenue-generating customer for your ad-supported social app. People who avoid advertising and social networking are those people.
Mathematica offers a non-Facebook sign in. So does Safeway.
While I agree with the point that FB Connect should not be the only option, I don't see promoting password-based authentication is beneficial here. Implementing a traditional user&pass auth. scheme:
2) Actually requires quite significant work. It might be easy to add short sign-up and login forms to a site, but I doubt that implementing any external authentication mechanism would be really that much more work.
However, with password auth. the work doesn't end here. We typically need password reset/recovery and password change. The latter usually entails some kind of profile/settings page, while the former might require at least a dedicated login page.
In general, external authentication providers are good, as long as we don't limit ourselves to a single one. Adding Twitter / Google / BrowserID / Open ID / etc. is not that much more work, as the whole flow can be somewhat generalized. Having multiple authentication options also makes us prepared (from implementation PoV) for eventual support of user&pass auth., should we need it in the future.
Someone please tell this to Spotify. It's a little infuriating that for the last three months or so you may not be a member of their service unless you have an active Facebook account.
You think Spotify is going to cancel their sweetheart deal with Facebook because some random blogger said Facebook-only logins are bad?
Of course, I would love to see some actual numbers on whether it was worth it for Spotify (I suspect it was), but my point is that's a bit of a special case.
For my service at eatdifferent.com, I've offered both Facebook signup and email-password signup since starting the site, and I put a bigger emphasis on Facebook on the signup screen. Even with that, about 25% of my users use Facebook, and the rest go for email/password. I also sometimes unite an FB and email account so they can use either.
I think there's a danger in giving users too many options, because it's easy for a user to forget which one they used, but there's also a danger in only offering a 3rd party sign-in, as some users just won't be up for it. For me, FB + email is the happy medium.
But yes, there's a lot of little things to implement when you have your own user auth system. I'm using Flask, a microframework that doesn't have a user system built in, so I've had to code basic things like reset-password and change-password from scratch. Worth it, though.
Hi, just thought you'd be interested in hearing about my experience with eatdifferent.com. Please disregard this if it's unwelcome (sorry!) ... I figured website owners enjoy hearing first impressions, but this is kind of awkward. But on the off chance that it's useful:
Homepage: interesting concept. I like the clean design and the gigantic "start" button + "take a tour" option.
Next page: A little annoyed that I have to basically squint to see the alternative to Facebook signin. No, I don't want to join your social network.
Signup page: I'll admit, the number of fields to fill out gave me pause. I almost exited out. But I'll grudgingly give it a shot. (Specifically: you don't need my last name, it makes me feel like you want to sell my info. You don't need my location. You don't need my birthday, and the years starting with "1900, 1901, ..." makes me feel like you want to sell my info. You don't need my photo -- if I like your site, maybe I'll give one. But we just met. The lack of a "confirm password" box makes me slow down and carefully type my password, and makes me feel like closing the website. This is all happening in the span of about 3 seconds.)
Next page: Perfect; absolutely perfect. The defaults are spot-on, and the optional infotext (question mark buttons) is nice.
Next page: Hmm.... Reminders? I don't really want annoying reminders yet; I just want to see what your site is like. The lack of a 'skip this' button would make me close the site.
Next page: You want me to spam my friends. No... thanks.
Next page: We're at step 5. It's now gone from cute to annoying. No, I don't want to share my food logs with the world.
Done with the signup. Then you show me http://screencast.com/t/NXMzgOjjR50q ... it's not really clear what I should be doing next, or how it will benefit me. I think there's probably just too much raw text. Separately, each element is good -- "Prep your pantry", for example. And I like handy guides. But the sheer number of things I could be doing next makes me close the page and hope you don't spam me too much.
Apologies if this wasn't useful. I assume website owners like honest feedback, and understand that my viewpoint != the average person's. I have no idea whether your site is good or bad; I was just broadcasting my raw thoughtstream as I went. For example it might be a bad idea to cut the "invite friends" step, even if I am personally annoyed with it -- maybe it's valuable in practice. I don't know.
We made our iPhone app FB Connect only, and only 50% of users who downloaded the app actually signed in. To make things worse, we got a ton of one start reviews in the app store from people who were really angry about the FB Sign-in.
Another bad part was that on mobile, FB sign-in doesn't work as well, so a bunch of users who did click to sign-in didn't get through the process because of an FB bug. So unless you're ready to loose 50% of your users, consider other sing-in options.
The services who use Facebook always annoy me with sharing requests, i don't want to share anything stop asking.
When somebody who uses Facebook Connect only, i expect this in advance and often don't want to use the service at all.
I don't, my parents, grandparents, aunts and uncles don't, my best friend doesn't, several of my favorite past and present colleagues don't. There are times I really wonder where Facebook's massive userbase comes from, and how it can ever possibly occur to anyone, anywhere, under any circumstances, to make Facebook the sole login system for their web startup that otherwise has little or nothing to do with Facebook.
Given that there are ~ 300M americans and facebook has ~850M users, my guess is that most of their userbase is overseas (and oftentimes falling prey to the whole "americans use it, so I should also be using it" mentality)
> (and oftentimes falling prey to the whole "americans use it, so I should also be using it" mentality)
That's a pretty low option of foreigners; in practice I think they take which bits of American culture they like, adapt it if necessary and ignore the rest. I would guess most of FB's non-USA users use it for the same reason USA-users do; its good at what it does, and all their friends use it.
I suspect there are a lot of throw-away lurker accounts created merely to sign into something that needed a Facebook sign-in (typically a Google result). I've created a few of those myself. I do not have a "real" Facebook account, and I have no plans to create one.
Plus lots of Facebook games encourage you to spam your friends daily for rewards. I know there are people who want the rewards but don't want to spam their friends: I'd love to know how many Facebook accounts are created simply as dummy accounts to send spam to.
For a long time Facebook wasn't available over seas. Facebook started with only US colleges, then high schools. It only opened up to people outside the US about 3 years ago I think so I would assume a large percentage of its user base is american.
This is as insightful a theory as saying Facebook launched 7 years ago and now it has 850 million users, so on its first year at Harvard it must have gained 121.4 million users.
The article has many valid points, but the Topsy example is simply poor execution on their part to request so many extended permissions as part of the initial login authorization dialog.
Any Facebook authorization dialog that asks for all of those permissions in the Topsy example is doing it wrong. It is not like you need to ask for all of those permissions up front. Offline access and publish stream is a very dangerous combination and should only be requested when a user is turning on a feature within the app that requires them. Let the user in with the bare minimum of permissions (user_about_me), build their trust, and then only ask for more permissions as and when they are needed.
Plus when you cancel out of the Facebook authorization dialog on Topsy, you get a 500 error response. Topsy fail on multiple levels.
Facebook is AOL all over again. They are creating a generation of users who will resist moving to a different platform, and a cadre of products that will either find their fates hitched to those of Facebook or dependent on an expensive (in terms of money and users) move away from Facebook at some point in the future.
Personally, I like the Joel test for abstraction/outsourcing. Identify your core competency, then go one layer below it in the stack. That's how deep you should go in-house. I think for many sites/apps, user accounts fall within this realm. That doesn't mean you can't interoperate, but don't be solely dependent on FB.
I never put a FB Connect button, but some people complain because they are used to logging in with one. It's a pain because it's another platform you have to support if you're a developer.
What happened to the days when you just had to implement a simple website for 1 browser, without having to worry about multiple browsers, supporting iPhone, iPad, Android, and enabling Facebook/Twitter/OpenID logins, and finding friends through facebook/twitter/gmail?
New technologies for consumers are great, but for producers who rather create the next Facebook instead of using it, they can be a hassle to support.
This is actually a reasonable answer, having been around at that time. At one point, if it worked on IE it went out the door.
Actually I know that "one point". It was when Mozilla completely destroyed their browser platform with the horribly broken Netscape 4. Everybody stopped using it immediately.
Back then it was like "does it work on ie" and maybe "should we build an AOL presence?".
How many of those companies are still in business, relative to their competitors who chose instead to bet on cross-platform standards in the long term?
If you were developing back then, you know there was a conscious choice between using REALLY microsoft-specific stuff like .htc modules, and just not worrying if your layout was perfect in Netscape 3. It was easy to not care for a while there.
If you're developing now, you know how much time you save just not worrying about layout in dying browsers.
They had to worry about IE initially.. then when they made it big, they had the money/time/resources to focus on branching out. Today, to make it big you have to worry about a lot more platforms.. and that's only to get started. Sux!
What happened to the days when you just had to implement a simple website for 1 browser, without having to worry about multiple browsers, supporting iPhone, iPad, Android, and enabling Facebook/Twitter/OpenID logins, and finding friends through facebook/twitter/gmail?
Do you really yearn for those days? Think about what you can build now vs. what you could build then.
I could build the next Mint w/o people saying "How is that different from Mint?". I could build Twitter w/o people saying That's like Twitter! I could build the next Match.com w/o people saying "But everyone's in Match.com!"
How is that beneficial for anything other than your ego?
Last time I checked, if there was no internet in the year 2012 you could invent that too. I don't really see it existing as a hindrance to your potential creativity though.
Hindrance or not, it adds an extra layer of friction in the quest of getting users, getting PR, getting attention, etc since people have been used to seeing most things already. And it's not about creativity, it's about making something to get rich first.
This post reminded me to look for open source code to handle multi-logins, I'm currently in the planning stage of a project. These seem quite comprehensive. Is there any reason why I would be better off rolling my own code?
If you actually need to use the user's Facebook information I suggest you use Koala and the JS login flow, otherwise omniauth is a good solution.
On the node.js side - just look at everyauth and connect-auth examples - they didn't even work on my computer! there's another lesser known library called passport.js that does the job very well: http://passportjs.org/
Also, please don't make Twitter your only sign-in option. I've come across lots of programmer-oriented startups that I'd like to sign up for, only to find that I require a Twitter account. Well guess what guys, not every competent programmer is on Twitter, or wants to be. PLEASE just let me create an account on your system without assuming everybody on the planet uses Twitter. (Or FB.)
The reason people pick Facebook only is because they think that losing users that don't use Facebook is better than having to implement your own account system.
Authorization and account management is really easy to screw up. If you leave it to Facebook, you'll save a lot of time. The only question is whether or not it's worth it.
Or, if I'm not, I've polluted your user database with one of my throw-away Facebook accounts just so I could see what was behind that search result that caught my eye.
userid, password. What part of that do you not understand?
Surely there's a way to avoid implementing your own account system that doesn't drag in the massive unrelated architecture of a Facebook, Google, or Twitter. You don't even need SSO like OpenID.
Is there a company that just sells a no-frills user enrollment and login service and also provides strict isolation between sites? (I.e., they resist the temptation to leverage their aggregate user base.)
I am managing a portal which offers the possibility to use FB Connect (in addition to own Login) and since you get no SLA from Facebook for their APIs I only can warn everyone to use the FB-only login. FB API can be randomly buggy for some hours without the possibility to get your users online.
While I agree that FB Connect as the only login option is a bad idea, I also don't think that the average user even reads the permissions dialog. We've run a few A/B tests in the past of asking for different permissions- there will be a decline when asking for more, but not a significant one.
I see Facebook Connect as a tool in the signup arsenal. Using it can accelerate a users signup process, but it's should still initiate a proceedure for creating a user in your own database. The user can then add Twitter and/or openID (you do support them, right?) and signin how they see fit.
However, there is a security concern. Abusing other peoples Facebook/Twitter accounts is quite common (frape for want of a better word). People do not sign out of Facebook (I don't), so blindly allowing access to sensitive data like this could be an issue. How about quickly asking for their password? Very few will be offended, and those that are should be cut down to size with an explaination of how security concious you are.
Site specific signup, any day, with long lived cookie remember me. Way too many companies view my FB credentials as a way to market themselves to my friends rather than as a convenience to me.
+1
Personally I find the whole idea of relying on a third party site for sign-in a bit odd. Let it be Twitter, Google, Facebook or anything else... there will always be people, who don't have an account for that specific site, don't want one, or don't want to let the site's owner know what their name on that third party site is. Another problem: aren't Google and Facebook blocked in some countries like china?
Again, the whole idea doesn't work out in my opinion.
You should almost certainly use Facebook Connect as your only signup option - all the data I've been privy to shows that the improvements in engagement more than make up for lost signups.
I'll put you on my list of "people I will never do business with on principle", but if I'm your target market then you've got much bigger problems than that.
I wonder (and I'm speculating, because I haven't seen the data you refer to) whether there's a bit of selection bias here: the people who are likely to log in via Facebook are already more likely to 'engage' (if I were being rude, I'd say 'click on any old crap and spam their friends) than those who aren't, so it's only a proportional increase in engagement, not an absolute one.
My current weekend effort needs the user birthday, I rather delegate that to FB -- I do not know any other identity authority that does that (even if flawed).
We let our users create accounts on our system or use facebook. 80% choose to create an account on our system instead of using facebook (This is an iOS app).
Unless your product is something that builds on Twitter's platform, I wouldn't recommend it. It means your users don't have a choice about how they're authenticated to your site, and
A) Failwhale, anyone?
B) Twitter doesn't provide serious options for protecting their users' login credentials. It's the same username/password combo which is easily phished & replayable.
Sadly, I've pretty much given up on the hope that we'll have a healthy ecosystem of OpenID providers, but at least Google's login system does offer some two-factor options.
For me, neither. I've got no interest in linking my identity in one online service to my identity in a totally unrelated one.
I've just signed up for a free trial to Netflix and they seem to be determined to force you to link its account to your Facebook one (you can avoid it by signing out of FB before going on the Netflix site, but even if you do that it then attempts to link the two together in the background next time you go on the Netflix page). But I don't want my FB page filling up with a list of things that I've watched. Partly because I may sometimes want to watch something I don't want to broadcast to the entire world, but mostly because I doubt that most of my friends have the slightest interest in keeping track of my everyday viewing habits.
