On a tangentially related note, developers, please remember that not everybody in the universe has a Twitter account, or wants one. If you have some cool product and I <i>must</i> sign in with FB/Twitter, straight to the close tab button I go and I'm not looking back.
I agree with the conclusion, but the even more wildly actionable information is that you can decrease CS costs and increase customer happiness by using copywriting better than "That email and password do not match our records." (Also, as a product owner with an engineering background, I have to come down on the "In this case, prefer UX over security" side of the debate, since there are numerous other options for divining existence of an account/email address and refusing to tell the account owner that gets you no marginal security benefit but does frustrate their use of your system.)
The title is total linkbait -- once you read through the article, it becomes clear that all the author is claiming is that social login buttons weren't the right choice for Mailchimp. They might be the right choice for others though: "Sometimes it makes a lot of sense, and other times it’s just not worth the trade-offs".<p>Although Mailchimp has a lot of users, it doesn't make sense to generalize conclusions from one SaaS business to the whole web. A private SaaS dashboard is a different use case from most consumer websites, where the goal of logging in with Twitter or Facebook is generally to attach your public identity to your posts or profile on the site, <i>not</i> merely to expedite login. And frankly, a private dashboard is a very strange place to add social login buttons in the first place. Although the "what login did I use?" issue comes up on consumer websites that make good use of social auth, it does so less often, because if you connected a third-party account to one of these sites, you did it for a reason and are more likely to remember.
> <i>What if Facebook or Twitter were hacked? Your social profile would be at risk (the sun would still rise tomorrow), but so would any other account on other services that are connected. That’s a little scary. Yes, Facebook and Twitter are good at security, but nobody, NOBODY, is perfect. Social login buttons delegate control of your users’ credentials to another service, rather than ensuring security yourself.</i><p>Well, nobody is perfect, but some are better than others [0]. Security is hard. In my case, I'd trust services like Twitter and Facebook more than myself right now (they have tons of good engineers and much more to lose in case of a security breach). Like many other things, this is a trade-off.<p>[0] - <a href="http://lesswrong.com/lw/mm/the_fallacy_of_gray/" rel="nofollow">http://lesswrong.com/lw/mm/the_fallacy_of_gray/</a>
Man, I'm glad to read some anti-social login stuff, as I personally do not like everyone depending on FB. I've read articles on tech crunch which say to ONLY have facebook logins for MVP, which made me cringe.<p>However, the key thing to realize here is that 3% of <i>mailchimp's</i> users use the social login buttons. That doesn't translate to 3% of <i>your</i> users. One app I work on is a social app for music fans. Most of our users hit the facebook button. It's also mobile, so that might have something to do with it as well (people might not want to type on mobile devices as much)<p>Takeaway: you need your own stats.
> Social login buttons delegate control of your users’ credentials to another service, rather than ensuring security yourself.<p>It is basically guaranteed that both Facebook and Twitter logins are more secure than almost any website that might offer one of their login buttons. How many websites have dedicated security engineers? Does mailchimp.com? I doubt it (but I'd be impressed if they do).<p>The other arguments are pretty reasonable; of course if you don't want to put another brand right in the middle of your login page, a social login button might not be for you. But security is almost an anti-concern: it's probably a win for your users in that respect.
For services I want to quickly try out once, if you just need a quick way to authenticate, I will look for a Facebook login button and generally leave the site if it doesn't have one.<p>Of course you also can't ask for any odd permissions either!
Did they consider that people tend to not use their facebook account for work accounts?<p>Anything relating to my job, I use my work email with a password. Anything personal, if I have the option, I use Facebook and don't let it to post to anyone but me.
> <i>If you’re using Twitter and Facebook for signup too you’ve got a bigger problem. A user’s credentials are then bound to another account on another service that could be canceled at any time, breaking access to your app without the user knowing</i><p>I'd never really thought about this. What do people suggest doing to handle this sort of use case?
While I agree (mostly) with the conclusions of the article, the reason social login buttons exist, is that people want easy access to services without having to fill out a bunch of stuff. Services like social login, persona and other open id are a step in the right direction for solving that, but I think it would be best if it were implemented in the browser. Specify how you'd like to identify yourself to the web (or specific pages) and just add 1-click confirmations. Can't believe I'm saying this, but Microsoft's InfoCard would have been perfect for this :)
Previous discussion from a couple of months ago: <a href="https://news.ycombinator.com/item?id=4603204" rel="nofollow">https://news.ycombinator.com/item?id=4603204</a>
It should be noted that MailChimp is huge. I have no figures, but I'm guessing they have millions of users. This means that problems that affect 0.1% of their userbase still represent a nominally large number of users. They don't have problems like user acquisition and brand recognition.<p>For me, adding 'signup with Facebook' has increased the number of registrations. I'll worry about the effect on failed logins when it proves to be a problem.
Even though I very much prefer having an FB login, and think that is much more secure than having manual login (and thus having to remember passwords, which most people will "solve" by the having the same password, which is really insecure),for the love of god, keep your social logins down to 1-2 options, if you must have them. Please do not throw in Facebook, Twitter, GitHub, Google, LinkedIn, and the rest of the kitchen sink.
> <i>"But after some further consideration, we decided that it was a false risk, as the username reminder form already tells you if a username exists"</i><p>The solution would be to close that hole, rather than opening the same hole somewhere else. For example, for the username reminder form, if the username can't be found for a given email address, then that can be conveyed to the user by sending them an email message.
I'll keep conveniently logging into a lot of services with social logins, thank you.<p>To me, there is especially the case of using a social login to sign up for just trying out a service, which I would not have done if it had meant going through the hassle of filling out a form or even validating en email.
But telling the user that their username OR password is incorrect is good practice though right? If you were trying to break in to somebody's account, it would be better for the person breaking in to not know whether or not that account exists, is a typo etc.
<a href="https://news.ycombinator.com/item?id=4603204" rel="nofollow">https://news.ycombinator.com/item?id=4603204</a><p>From when this was previously discussed (originally published?)
Depends on your target audience imo. For a consumer facing product, If a considerable size of your traffic is coming from facebook, it sure makes sense to have that option.