Interesting, but MailChimp didn't start with these social media login options, did they? So the low percentage of people using those to sign in probably means that most of those people registered after they were in place?<p>Also, regarding the CEO's email and the confusion of so many options on the homepage, that's merely a design issue. Those buttons don't need to take up so much room or be so bold. They could simply be links with tiny corresponding icons underneath the default login form. Taking those options away would be a detriment to both current users of those methods and future users who prefer the quick registration process it provides.<p>The argument thereafter that these logins could easily dissipate and are therefore unreliable is solved the same way SoundCloud does it; allow the user to set a username and password separate from their social networking account in their settings. The only problem with the SoundCloud method, at least at the time I did it, was that in order for it to activate, you had to reset your password. As far as the security point is concerned, that's a risk the user takes and another benefit to having both site-specific credentials and the social media tie-in.
There's another element of this that, to this day, I don't fully understand: Companies subverting their brands and actually promoting facebook.<p>What do I mean by this? The other day we were watching TV and a Charmin ad comes in. At the end of the ad they actually say "go to facebook.com/charmin"<p>What? They have a perfectly good and highly recognizable brand. And, they happen to have a great URL: charmin.com. Why send traffic to Facebook and diminish or even completely fail to promote your own bran?<p>OK, the other question might be: Who is visiting a Facebook page for toilet paper. The point is that I've seen this many, many times from all kinds of companies.<p>Maybe someone can explain? Maybe this is just sheep following sheep off the cliff?
The way I read this, it's about the CEO overriding the decision based on aesthetic reasons.<p>Personally I'd much rather log in with Google in this case, which means there would need to be three buttons: Twitter, Facebook, and Google. I'm sympathetic to the "nascar-ization" argument, but I also believe your customers are smart enough to process at least as many options as there are in their wallet for providing identity.<p>Perhaps the best solution is even more minimal: no login options at all! Let the browser auto-generate credentials and a unique password on your behalf, then automatically use that to log you in every time it sees that website.<p><a href="http://www.codinghorror.com/blog/2011/09/cutting-the-gordian-knot-of-web-identity.html" rel="nofollow">http://www.codinghorror.com/blog/2011/09/cutting-the-gordian...</a>
I think the bigger point has nothing to do with social buttons or login UX.<p>Test your changes independently, and make incremental changes<p>They thought social buttons improved login success. They didn't. An unconnected copy change improved login success. If you test these things independently, you'll get much better insight into what makes a difference.
All the comments below (ha I hope!) are arguing for Mozilla persona<p>* I want to use email as username<p>* limit the number of possible ways to login (no NASCAR)<p>* I want to keep personal and business logins seperate<p>* don't slap competitor logos all over my pages (CEO quite right there)<p>this however all begs the question how do I move accounts to a new login?<p>Few sites (stackoverflow is a shining exception) allow you to associate more than one login with one account. And fewer give different settings by login (admin, power user etc)<p>we have been lulled by oauth and openid into thinking we have just to authenticate me, rather than authorise a role - and few sites have concepts ofanything other than one role == one set of privileges == one login.<p>There is a reckoning coming - it is when these sites need to provide fine grained control, as businesses run on them full time, we shall discover why ACLs exist, and what chmod is for. It's going to be painful. But then it's better for mailchimp to take the pain in a couple of years than not be there at all<p>now go install persona. And allow me to associate more than one login with one account
So I like a lot of the analysis in this article, but couldn't help taking issue with some of it. Here are some thoughts that came to mind. Worth noting that I work on security / spam fighting at Facebook, but these are solely my personal opinions.<p>"Social login buttons put security in someone else’s hands"
You're damn right they do! I argue that in 99.9% of cases that's a great thing, for 3 reasons:<p>1. Facebook invests significant resources in both keeping bad guys out (we have been able to dramatically reduce large-scale phishing with a number of updates to our login security systems) and ensuring everyone else can get into their accounts easily. I can only speak for us, but I assume Twitter spends a lot of time on this as well. I imagine it'd be tough for a startup to keep up with the 10-20 people we have working on this problem at any given time.<p>2. It's incredibly difficult to build a password system that is both easy to use and secure. There's an almost endless ever changing list to make sure you're hashing and salting properly, don't have SQL injection flaws, implement robust rate-limiting without allowing DoS, etc. We've all seen many people screw it up in recent years. One of the largest benefits of Facebook Connect for startups is the ability to leverage our investment in these systems, without having to invest the significant time we have spent iterating on them.<p>3. We've spent a lot of time working on every aspect of login, so that startups don't have to. Your job is to build whatever technology differentiates you from your competitors, and make it worlds better than theirs. Any time you spend pfutzing with password hashing, building a better password recovery flow, or arguing about how to fail when people type in the wrong password is time you could better spend making a truly wonderful product. Unless you're trying to build a startup that helps people login, any time spent on this is better spent elsewhere.
I think he buried the lede: Social login buttons can hurt brands.<p>This'll date me, but I'm still amazed that so many companies eagerly slap other company's logos on everything they do. Even if it's just a blog post.<p>This page is a case in point: Facebook's brand appears four times. Twitter's appears a dozen times (more because of the comments). Mailchimp? Just once.
Social login is a shadow issue here - like a sheet over a chair, the little buttons are obscuring a larger issue:<p><i>Mailchimp found that clarifying login error messages reduced login failures by 66%!!</i><p>The rest of the story is a coincidental tale about the CEO trying to pull a "Jobs" by thinking he knew what his customers wanted better than they did. The social media buttons only had an effect on 3.4% of their users, a small group compared to the reduction in failed logins. By making the social login buttons the main point of their blog article, they hide this valuable tidbit.
We've always found that by replacing "username" with "email address" makes logging in a lot easier. Most users already know their email address. By using a username thats one more thing they have to remember.
I've grown to seriously hate OAuth as a login mechanism. It's great for connecting accounts for integration, but I've been burned by it as a login.<p>On one of my previous projects, Twitter was the only allowed login method. After some complaints, we implemented an email-based login and reduced the bounce rate by over 50%.<p>Another anecdote: whenever my Asana session expires, I always struggle to remember which Google account I registered with or if I used email. The worst part of their flow is that if you're wrong, a new account is created and you login to a blank slate. It takes forever to find the log out button to try again too.
> But after some further consideration, we decided that it was a false risk, as the username reminder form already tells you if a username exists [...]<p>Alright so this security hole already existed in their system elsewhere. After raising the issue that this type of message leaks data, which is a completely valid concern, they dropped it because they were already leaking that data elsewhere? It isn't like email based account reset/reminder forms have to leak the existence of an email within the system, a fact they just gloss right over.<p>For a system that stores quite a lot of very sensitive data it is surprising to see them knowingly keep such a hole open. I understand the desire to smooth out the user experience but this honestly seems more driven by the desire to not field customer support requests for what feels like a "stupid issue".<p>I'm not currently a MailChimp customer but I used to be and before reading this I would have chosen to use them again if the need was there. Please don't compromise the security of customers for convenience.
I joined mailchimp ~7 months ago after Jason (thisweekin.com) pleaded viewers to check it out so i signed up for the free trial (2000 subscribers free no credit card).<p>I'm amazed by everything that they do. Elegant api and ux that "you get" from the get-go. It is a huge problem to solve and i'm now engaging with 1100 subscribers.<p>Now i want to pay ($30/m) but they don't accept paypal - the service i use to pay for everything since i'm a digital vendor. There are companies in the U.S that don't understand that alot of foreigners do business solely with paypal. There are those who dig it though(Elance, Envato, Odesk)<p>mailchimp take the leap! eeee
few things don't add up here.<p>1. they added the social buttons late in the game, and are surprised about 4% of users are using the social buttons. what if that 4% was compromised entirely of users who registered since you added the buttons? that would be a totally different ballgame.<p>2. the problem they were trying to solve was login errors. that's not the problem facebook and twitter sign in solve. therefor it seems fallacious to say "they aren't worth it" when you're not even considering the standard use case.
I love being able to log in using an OpenID provider rather than creating an account.<p>Because it's one less !$@%!@$! password to remember. Or it's one less $@&%!@$ hassle adapting my password creation formula to a new site's password requirements. Or it's one less place where my don't-care-use-it-everywhere username/password key is stored, perhaps @$2(<i>! in the clear. Or perhaps it's just one less time I have to type in a @$@(%^!</i> username and password. Or @*($&%! create one.
For me the most important bit in that was the last line.<p>"Is it worth it? Nope, it’s <i>not to us</i>." (my emphasis)<p>Not all businesses are the same. B2B businesses like MailChimp usually don't see major increases in value through third party auth. They're providing serious value. People will go to the effort regardless.<p>With a casual use B2C site removing even the tiniest piece of friction in the login process can mean the difference between a purchase and people just going away.<p>It depends. This is why we test shit :-)<p>(Also - unrelated to this - is that the "login" bit is often not where the biggest win for third-part auth is. It's in reducing friction in registration. I've seen high single digit percentage improvements in abandonment of registration for some B2C sites due to getting profile info from twitter/linkedin/etc. cutting the time it takes to setup accounts fully. Lifetime value also increased since profile info was generally better from those sources which was an important part of users getting value out of the system, and so the business getting value out of those users).<p>[edit: also - they seem to be looking at total numbers, rather than doing any kind of cohort analysis on the folk using twitter/facebook/whatever... which may well lead to different conclusions]
I am probably in a minority but for me, my Facebook and gmail is more valuable than almost all other accounts. When I see a site that forces me to sign up using Facebook or a google account, I usually hit back. Why? Because in my mind I'm giving access to my entire Facebook to a bunch of guys I know little about. I'm not as fearful that these guys are evil and may directly harm me. I'm more fearful they will post something to my timeline or that they may repost say my public posts for SEO etc.<p>This is one reason I am extremely pissed at instagram. Instagram as a product gives you a sense of privacy because it provides very limited ways to access your photos. You can't just goto instagram.com, login and begin browsing. On the other hand, few people realize that your instagram pictures are public by default and there are dozens of sites which using instagram's API(I'm guessing) are republishing our photos without even your knowledge.
I see this as two problems.
1. Too many options. They even mentioned it "Did I log in with Facebook or Google or Twitter or what."<p>2. Having both social & native logon.<p>You could actually solve both by either 1. Only using native logon. or 2. Picking one (maybe 2) social logins.<p>I went with #2. Granted it was on a small test site, but the trade off of managing customer logins sucks. I'd rather have google get busted for getting hacked than for my little SQL DB getting attacked.<p>The way I look at it, I have time to write code and secure it to the best of my ability. However, Google and other social logins have whole teams that can manage security and keep up to date with the latest technology etc.<p>So there is more to social logins than the actual act of logging in. And some of the problems listed aren't really with social logins, but rather with a particular implementation.
The actual point of this article is "Social login buttons aren't worth it... for Mailchimp".<p>Obviously a business-focused company is going to have less people logging in with Facebook than a consumer-focused company.<p>People shouldn't write generalizing blog posts unless they have some understanding of proper experimental design.
One thing that has been really interested about the discussion of social logins has been the re-emerging critical outlook on online identity. I think that social logins are a double-edged sword, where they give us the ability to easily connect with sites for which our social identity is relevant or for which setting up a whole new custom identity is unnecessary. One the other hand, the obvious drawback is the implicit promotion of the social network as the de facto identity standard, which is dangerous and totalitarian (Facebook owns who you are, sort of).<p>I think the simple value for social login is context. There's an obvious overuse case and a useful use case.
I think telling people that just their password was wrong was a bad move. The author argues that this is not a security risk because the "username reminder form already tells you if a username exists". However, this simply displays a further security issue. I don't have the link handy, but there was just a (really good) article the other day here on Hacker News about why you should not reveal whether the email address is necessarily associated with a username or password in these kinds of forms (always just give the same generic "we will send it if it exists" message).
What about having a generic "Third Party Login" button drop down? On a click, a drop down appears with the different login options. This makes the options available to users, but lets the main brand shine.
The problem isn't that social login buttons harm your brand or look ugly, it is that by using social logins you are working to expand the social networks user base and not your own.<p>Online companies are largely valued by the size of their userbase and by working to build Fb or twitter's userbase rather than your own, you are sacrificing the value you add to your own company for the sake of the social network that a user signs in with.
As others pointed out, I believe the 3.4% was simply down to social logins introduced much later. When I fist signed-up for mailchimp ages ago, the only option was creating a new user account.<p>I think the article dismisses one huge benefit to federated logins:<p>* ease of use for users - instead of choosing a username, entering all the customer information, verifying the email address etc, choosing a password, you can sign in with one or two clicks.
I never use a Facebook or third-party login, if I can help it. Why would I want to tie my real identity to some site I'm opting to _try_ for the first time? I might want to integrate an account to Facebook if the service provided some phenomenal value to me for doing so and the service had gained my trust. But providing my Facebook information to an unknown entity is far more intrusive than providing an email.
This is exactly why Persona really needs to be adopted more and succeed. I'm tired of creating new accounts all the time and Persona solves this issue.
Increasingly there are going to be people like me who don't trust Facebook, Google, Twitter, etc... enough to have an account (or, at least, a real one) with them. So using them for logging in somewhere else isn't helpful.<p>ONLY being able to use them to log in somewhere else is obviously a reason to never sign up with that "somewhere else" site altogether.
One thing that jumped out at me with the "better" error messages, is that it makes it that much more hackable - if I can hit the service and find valid usernames, I can then try to get into those.<p>If you have a catch-all error message, it's much harder to guess the username/password combo.
While I'm disinclined to take UX tips from MailChimp, there are at least two good situations to use 3rd party registration/login: 1) when you're getting more out of it than simple reg/login and 2) mobile.
Social Login buttons are liked by some users (about 30% from our research [1]) and have the added benefit of giving extra biographical data / friends graphs / etc. Some services need that extra data for sharing features etc.<p>We run a service that makes it simple to add Email&Password style login, or Social login to your site: <a href="http://www.dailycred.com" rel="nofollow">http://www.dailycred.com</a><p>[1] <a href="http://dailycred.tumblr.com/post/30602034530/surprise-people-hate-being-forced-to-use-facebook" rel="nofollow">http://dailycred.tumblr.com/post/30602034530/surprise-people...</a>
Wow, they dramatically simplified the login form. Here's what I get at the moment:<p><a href="http://i.imgur.com/LExHd.png" rel="nofollow">http://i.imgur.com/LExHd.png</a>