In case you're not familiar with them, this blog comes from the Mozilla Identity team, which is creating a unified login product called "Persona." It's basically the features of social login (you don't have to create a new account for every site) without the drawbacks (an advertising-driven company knowing your every login).
I use Persona on my costs-real-money subscription site[1] and I'm very happy with it. Integration was easy, the user experience is pretty good, and it's been stable and reliable. The best thing, of course, was not having to implement my own password-management infrastructure, which saved me a ton of time, as well as insulating me from the hard security problems that come along with such a beast.
If you decide to try Persona, I heartily recommend it. There are a couple of gotchas to be aware of:
1- On iOS, only Safari works due to Persona using a pop-up window for login. People using Chrome on iOS will get a confusing "relay frame not found" error.
2- Signup flow could be better. When users create an account, they get a confirmation email. Clicking the link in that confirmation email redirects them to the Persona site, not back to your site. It's possible this is configurable and I haven't figured it out yet.
3- Persona emails are case-sensitive. There's some rare issues that occur as a result. At one point, it could crash the login, but I believe that's been fixed.
Don't let these flaws stop you, though--Persona is very well done and constantly getting better. I've had hundreds of people sign up for paid accounts and only two have had trouble to the point of asking for help. (And nobody's cancelled their subscription because of login problems. :-) )
> returnTo: Absolute path to send new users to after they've completed email verification for the first time. The path must begin with '/'. This parameter only affects users who are certified by Mozilla's fallback Identity Provider.
shouldnt be too bad, because the button they click to login says "Persona," as does the email. I guess if a person is already familiar with logging via fb/google/twitter, then they should "get it." but someone not familiar with logging to site A using credentials from site B.... yea i can see that being confusing.
Upgrade to the Observer API (`.watch` and `.request`) and your users will automatically get a super smooth post-verification experience, just like you described.
Don't let these flaws stop you, though--Persona is very well done and constantly getting better. I've had hundreds of people sign up for paid accounts and only two have had trouble to the point of asking for help. (And nobody's cancelled their subscription because of login problems. :-) )
Just as a point of info "only two have had trouble to the point of asking for help" is a really bad way of judging whether something is working well or not for your customers.
The vast majority of people do not complain if they hit problems. They just silently go away. From my experiences of optimising this sort of stuff I'd pretty much guarantee that you have at least 10x times than number failing and walking. Possibly much higher.
Not in this case. The signup flow for my site is "decide to subscribe, put in email address, put in credit card, create Persona account."
By the time they get to the "create Persona account" part, they're already invested in it working.
I also monitor my logs for signs of trouble. One of the two issues I was talking about above was actually initiated by me reaching out to the subscriber. (I happened to see them bouncing on the "now log in" page within a few minutes of their subscribing.)
And I also ask people who cancel why they did so. The vast majority respond, and none have said "I couldn't log in." :-)
It's quite possible there are still some angry silent unsubscribers who were stymied by Persona, but at this point I'm satisfied that it's not a significant number.
I like it a lot, but at the end of the day I'm still relying on a single company to hold the keys to many accounts of mine on the web, which is still a bit jarring (not that it's going to stop me).
> at the end of the day I'm still relying on a single company to hold the keys to many accounts
Actually, with Persona, you're not. :)
Persona has a fully decentralized architecture. The centralization you're seeing right now is completely temporary, and only serves as a bootstrapping convenience. If you own your own domain you can turn it into a Persona Identity Provider and start minting your own identity certificates today, without Mozilla (or any other single company) being forced into the trust path.
We're going to build a Persona <-> Gmail OpenID bridge soon. Probably launching in May or June. It'll almost be like Google supports it directly. :) After that will come Google Apps support.
I'll submit a feature request to Spotify to get them to support Persona log in. When Gmail and Spotify are gone I'll be two big steps closer to getting rid of that pesky Facebook account ;)
Actually, it won't. You'll OpenID auth into google.login.persona.org, and then get a straight up Persona certificate signed by that fallback, along with all of the privacy safeguards that has.
Honestly, we haven't quite figured out a good way to do a "beta" or partial roll-out for this without breaking other users. Yaaaay decentralization! Instead, we'll be extensively QA'ing it in testing environments, and then we'll flip a big switch to enable it for everyone.
We wouldn't even have to turn it off -- as soon as gmail.com can vouch for its own users, the protocol automatically and preferentially switches over to that. The centralized parts fall away on their own whenever they can. :)
Thanks for the suggestion. I'll keep tweaking it. I'm seeing fewer (actually, none) bounces off the payment page than before, which suggests that the change I made has already helped.
I'm limited by a serious lack of graphic design skill, and this page wasn't part of Primate's original design work for the site. It shows. :-) It will get a proper design at some point in the future.
I'm interested to know how Persona works server-side? AFAIK, it's entirely done in JavaScript. I can't imagine sending the browser ID over Ajax to make a session, it seems far too easy to exploit.
In short: it's bog standard public key cryptography. My browser has a keypair and my email provider has a keypair. My public key and email address are bound together and signed by my email provider's private key. When I want to log into a site, I pass along that certificate. I also pass along a document containing where I want to log in and and the current time, signed by my browser's private key.
The latter document ties a given login request to a specific keypair.
The former document ties a given keypair to an email address.
Together, they identify me and prove that the person logging in really is the same person that was authenticated by the email provider.
"not having to implement my own password-management infrastructure, ..., as well as insulating me from the hard security problems that come along with such a beast."
But you do realize it does definitely create another, much more serious, security problems right? What happens when the single sign-on server gets compromised? What happens when tokens aren't as secure as they should (like the recent OAuth SNAFUs, with an 's')? What happens when you don't pay attention to all the fineprints in the Persona docs stating things like:
"Be careful if you don't do this it's going to be easy to forge"
and:
"Guidelines to use Persona securely"
?
So it can be used not securely? Like OAuth? Do you think I find it re-assuring that I have to take steps so that things are not easy to forge? What when the latest JavaScript / browser exploits manages to forge requests?
Don't get me wrong: this seems very convenient. But you're trading time for something here. It saves you time by now having to roll your own security correctly (a DB into which you put emails and bcrypt encrypted passwords) but it comes at a price.
The price is the added insecurity that single sign-on adds.
Authentication requires attention to security no matter how do it. There's no silver bullet.
As far as I can tell, using Persona requires less attention to security than doing it myself. I don't see how that translates to creating "much more serious" security problems.
Perhaps you are a security expert who can do a better job than a team of Mozilla developers who are dedicating themselves full-time to solving authentication problems. I'm not. I know enough to know that security is harder than it looks, and that even if I salt my fries and crypt my bees, I can still screw things up[1]. Better to outsource it... well, as much as I can, anyway.
Hi, I'm on the Persona team at Mozilla. If you'd like to learn more about what and why Mozilla is doing with authentication, I gave a 45-minute talk at PyCon US this past Saturday. You can find the video here: http://pyvideo.org/video/1764
I'm also happy to answer questions in-thread or via email.
I looked at Persona for a project a friend of mine is doing, and I pretty much rejected from the start. Persona seems flawed in that it assumes email as identity.
I'm a developer on a e-commerce site, when we started out we assumed what Persona assumes, that email is a unique and stable identity. We found out the first day of production mode that this assumption is flawed. People changes email address all the time, it's at least as unstable as their home address, most peoples phone number is more stable.
As software developers we assumed that pretty much no one would ever change their email address, or that at least they wouldn't discard their old one. Regular people however do that. They do not care about their email address.
Is this something that the Persona team that given any thought. If so, what did you come up with?
Persona's about page says that you can use multiple email addresses with a single account.
"Within Persona, your identity is your email address. You can use as many email addresses as you want, but you still only need one password.". - https://login.persona.org/about
It's not really clear if it maps to the same identity. I should test that.
However I think it might still confuse customers. A normal user expect to be able to change their email address on the site where they do business and the "MAGIC". I think we would have been better of requiring a username, email and password, rather than using the email as the username. For a large number of people needing to have both username and email seems redundant and stupid, for real life customer... not so much.
My issue is, a customer has X number of orders on our site. Then he/she changes email and expect that using the new email address the old orders are magically available. This seems naive but that is what you have to deal with.
Again I should check to see if Persona indeed maps multiple emails to the same identity. It didn't seem like it when I tested it last, but I would not rule out that I did something wrong.
On the one hand, I think email addresses are FAR more understandable as "identity" to an average user than URLs are, which to me is the fatal flaw with OpenID. To an "ordinary" user, URLs are websites, not people.
On the other hand people do change identifiers. They change usernames (jsmith gets married and now wants to be jadams) and they change emails (for the same reason, or because they change ISPs or mobile carriers or whatever). ANY authentication process you use should allow the user to change his identifier (or any other personal attribute even gender) at will.
Internally you deal with this by connecting the identifier to an other token that is the real "permanent" identity for the user in your system. But it's one that's never exposed to the actual user. It sounds like your system was using the email address in the order records to identify the customer. That is what your real problem is, not that people change email addresses.
> But it's one that's never exposed to the actual user.
Why not expose it to the user? Because then they'll want to change it? Are you talking about browser fingerprinting?
We already expose this on the user/email level, where users can link and log in with as many email addresses as they like, under one account (identifier).
Sure, sometimes their usernames are their primary keys. Even if the actual primary key is arbitrary, the primary identity is still exposed to the user, in that they know what their user account is, and which email addresses are linked to it.
It maps multiple emails to the same identity, in that you use the same password to log in with all of them. The end site gets the email you log in to the site with (I can log in to Persona with email A but let all sites know email B every time. If I change that to email C, sites will think I'm a different user).
You can let users change email addresses, and nothing bad will happen. They'll just have to log in with the other address next time.
I think you may have a unique case on your hands. I am a web developer for a big eCommerce site and we use emails to identify users (we switched from usernames to emails after a few months of testing actually). After three years of the site being up we have only had a handful of people get confused about their email changing.
If a user does change their email they can log in as their old email and simply update their account to their new one.
Email is a much better system than username because people constantly forget the unique username they created for that specific site. You don't really forget your email very often.
+1 to your decision. I HATE site that use usernames instead of emails... i wont even use sites that do that unless i really really have to (like my health care provider).
The problem is not displaying a username. The problem is using the username to login. Because users forget that.
If you're stupidly using your email as your username then your email becomes public should the site you're on show, at any point, your username.
Which is why sites correctly done use the email for login but display a username and never your email. Correctly done sites also forbid username from containing '@', so that you can be sure that people don't do anything retardedly stupid like using their email as username, which would be displayed publicly on the site...
Email address is the backbone of web identity. Nearly every registration system uses it. If you're having trouble with it, maybe, just maybe, it's on your end?
Isn't that his point? Email address is a backbone of web identity simply because we don't have anything better. Maybe we should finally get around to figuring out something better?
It's a hard problem because anything real world like a identifying number is flawed for anonymity. There needs to be a unique identifier for a web entity.
It's always annoyed me that solutions like persona etc are approaching this by simply replacing email, when shouldn't they be abstracting my online identity? I hold several "personas" throughout various sites, email addresses, and applications. However, I don't want a product that simply merges them, I want a product that is more of a "meta-persona", that lets me easily track, manage, and expand them.
Sounds like it already does kind of do that. From StavrosK above:
"It maps multiple emails to the same identity, in that you use the same password to log in with all of them. The end site gets the email you log in to the site with (I can log in to Persona with email A but let all sites know email B every time."
So based on that, if you want to expose three different identities to 3 different sites, you can set up Persona to do that automatically, without having to remember the separate emails and passwords you used for each one. I guess the only problem would be if you needed multiple separate logins to the same site, but unless it's your own site, presumably that should be rare.
If you honestly believe that, I would claim that you either have no customers or that your customer reside in a very limited sub-section of people.
People do not believe that their email and identity is in any way linked. You and I might believe that, but don't count on your customers sharing your beliefs.
People do not believe that their email and identity is in any way linked
I think that you might have to explain that a bit.
I think that others try to argue that people use email at least as temporary identity, in the sense that at time t, they identify themselves with at least one of their email addresses. In practice this is enough for many web sites to use the email address as login. Perhaps you are talking about some longer sort of permanence, or uniqueness?
You'll note that both Facebook and Google provide ways to hook up multiple emails to the same account, and multiple recovery accounts. Why do this if nobody uses it?
(Damn, I had wanted to post this yesterday, but then I forgot to quite finish it and it ended up sitting in a tab, unsent.)
Yes, it does: it means that you cannot count on it as a canonical form of identity for any long period of time, as people expect to be able to change it; in fact, many people go through "the great purge" every couple years, deleting their e-mail address and selecting a new one, in order to purposely reboot the people who have their address: to them, it is a way to purposely restart their identity.
You thereby have to think of e-mail addresses as more akin to your home address. If you ask me to log in with my home address, yes, that works: it doesn't work for everyone, as not everyone in the world has a home address, but the same thing can be said for e-mail addresses. Sometimes people will share a home address, but surprise surprise: sometimes people share e-mail addresses as well.
When I am asked to log in to that form with my home address, and it works, you now might claim I've accepted it as part of my identity. Well, I haven't: I'm going to change my home address at some point, and someone else is then going to start living here, which is exactly what happens to many people who use ISP or University -provided e-mail. Hell, it also happens to people with vanity e-mail addresses if they let their domain registration expire (as happened to one of my friends, who otherwise was using the same e-mail address for a very very long period of time).
Yes: it works temporarily, but it isn't my identity, and eventually it will fail, and unless you are really really weird (like, you are the kind of technology person who would probably consider it digital suicide to allow their domain name to expire, and has had the same e-mail address now for well over a decade), it will fail sooner than later, and may even fail on purpose when users invalidate it.
How are usernames any different? You're saying identity is transient. This is true of every sort of identity except perhaps your soul. Regardless email addresses are more stable and unique than usernames. In fact they are just a username plus a domain that happens to have the ability to be routed messages in a standard way.
Of course you should be able to change the email on an account. Usernames can also be changed and are far from canonical. Your point about emails is not invalid, it's just not addressed by usernames, and usernames are actually inferior in that respect.
So, I did not use the word "username" in that comment you are replying to. I thereby will assume you mean "stable and opaque identifier assigned and chosen by the authentication provider", which is what I would argue for (as opposed to attempting to rely on an e-mail address as a stable identifier).
I did use the word "username" in a response to someone else, but that was a very different (and much more abrasive :() argument path.
> Regardless email addresses are more stable and unique than usernames.
E-mail addresses are not more stable that usernames, because e-mail addresses have an external purpose: they receive e-mail. Many people actively go and change their email addresses periodically in order to stop receiving e-mail from people they previously were receiving e-mails from.
A "username" (your word here), especially (and maybe specifically) the "good" kind that is never shown to another user and is just used for account canonicalization, which conceptually could be a random number assigned by the system, is something that the user has no reason to change unless they actually want to never log in to the account again.
E-mail addresses also are tied to the DNS system, which other forms of identification need not be: you can instead tie them to a private key kept by the authentication provider. That would make "me" be A@B where A is a number and B is a key pair. In this way, even if the way you continue to contact my authentication provider lapses (such as attempting to use a hostname) only if the new owner has the same key are they able to claim the identities there (unlike e-mail) and as the user specifier is opaque (not a string that I'm going to care about and want to make pretty, or something I'd ever want to change unless I actively want to lose access to my account) it will not run afoul of the problem with e-mail where people feel compelled to reuse them after some time of abandonment.
The problem then with Persona is that it is the websites consuming it who have the onerous job of dealing with every possible e-mail address change a user may request. With more classic attempts at federated login, users may end up with multiple authentication providers that can become somewhat confusing, but they demand to change authentication providers and especially lose access entirely to authentication providers sufficiently rarely that it is a non-issue to handle the support load of helping users remap their accounts (something that is difficult to automate, of course, in the case where the user already lost access to their old identity). With Persona, this is now something that the user has to do when they change e-mail addresses at every site they may ever have logged in to using their account, ever. :(
Say what? My email addresses are linked to my identity because they are my email addresses. Most of them even have my name on them. Sure, I have several of them, and one of them disappeared when I graduated from college, so the mapping isn't perfect -- but they are nevertheless mine.
The main exceptions to this are:
1. People who share an email address for convenience, like my grandparents.
2. Group-facade email addresses, like support@whatever.com, which may be routed to several people.
3. Email addresses that don't belong to anyone, like "noreply@whatever.com", or "autogenerated-4b243efa37e5b013a1d90b694c3bcaa3@hell.com"
Nope, like all other large providers (Facebook, Google, etc.) Amazon allows users to use e-mail addresses to log in, but they are not canonical stores of identity. In fact, Amazon is the most humorous example you could have pulled, because Amazon actually allows multiple accounts with the same e-mail address, and uses the password to differentiate (which is pretty much what jointb86 said, but I doubt if you knew this is the case that his comment was clear).
"Why Does Amazon.com Allow Multiple Accounts With the Same Email Address?"
"Note: If you change the e-mail address on your account to an e-mail address that is already associated with another Amazon account, we will ask that you first verify your e-mail address."
I have had the same email address for 18 years, but I'm a dying breed. Most people I know change email address pretty regularly - as in more than once a year.
Seriously, most people you know change their email address more than once per year? Honestly, MOST of the people you know do that? I highly doubt that.
- Many people never abandon their primary identity email.
- But many other people often abandon their email identity.
- You don't want to use a social network as the gatekeeper to *your* site.
- You don't want to have human support for password resets.
Sekrit questions/answers along the lines of your first car's maiden name? Those can be forgotten just as easily as usernames for login.
Sure, but the Facebook login is just "any e-mail address"; it doesn't really mean something for your account. You can add more e-mail addresses to your account, and all of them are allowed to be used to log in; the same, incidentally, is true of Google accounts.
Not once a year, but here in new zealand for most people the email address is provided by the ISP.
When they change their ISP, they typically get a new email address.
Most people I know have changed their ISP a couple of times.
Surely most people in that kind of situation would move to gmail/hotmail/yahoo or similar, though? I'm sure my ISP offers me a free email, but I can't say I've ever used it (or even asked after it...)
Users using cloud e-mail addresses have addresses that are slightly more stable, but eventually they decode that @hotmail.com looks better than @aol.com, that @yahoo.com looks much better than @hotmail.com, and eventually that @gmail.com looks better than @yahoo.com. When they do this, they change their e-mail addresses, and often just derelict the old one so they don't have to think about it anymore.
Also, to the extent to which this becomes important, it only becomes important too late, as in after you've already used an address or two. I have had the same address now since 1997 when I registered saurik.com, but I did that because I had in the two years prior "learned the hard lesson" that my ISP-provided e-mail address was doomed to be something I'd end up having to move off of, potentially fairly often.
> Email address is the backbone of web identity. Nearly every registration system uses it.
"Everyone else is doing is doing it that way" isn't a reason to do it that way, especially for a product, like Persona, that is supposedly about fixing what is wrong in what everyone else is doing.
Except that:
1. Email actually works quite well as an individual identifier. At any given time, an email account is probably linked to only one person.
2. No alternative exists, in real world use, that really looks better
> Except that: 1. Email actually works quite well as an individual identifier.
No, it doesn't.
> At any given time, an email account is probably linked to only one person.
Lots of people have shared email accounts. And even without that the "at any one time" is one reason why it doesn't work as an individual identifier, its not stable. (Since cell phones and number portability have become ubiquitous, phone numbers are probably better than email addresses at this, but share the same sorts of problems.)
> 2. No alternative exists, in real world use, that really looks better
Sure alternatives exist. While its often important to have a contact email address connected to an identity, there is no reason to have an externally-meaningful value that is inextricably tied to the online identity, particularly if that value doesn't have an intrinsic, unique, and stable link to a particular person.
You're justifying choosing a bad natural key with the argument that its the least-bad natural key, when not only is the proposition that the proposed key is the least-bad natural key somewhat dubious, more importantly, the use case calls for a key, but there is no reason for it to be a natural key.
«You're justifying choosing a bad natural key with the argument that its the least-bad natural key, when not only is the proposition that the proposed key is the least-bad natural key somewhat dubious, more importantly, the use case calls for a key, but there is no reason for it to be a natural key.»
Of course it has to be a natural key! Are you expecting that users will learn your theoretically perfect surrogate key? Do you understand that you will be competing for space in people's brain? For what reason? Because shared email accounts break the many to one relationship on mail <-> person?
> Of course it has to be a natural key! Are you expecting that users will learn your theoretically perfect surrogate key?
I'm not sure why users should ever need to know the key.
> Because shared email accounts break the many to one relationship on mail <-> person?
No, I probably wouldn't even both with addressing the problem of shared email accounts (which would require some discriminator), but with one person having multiple email accounts and email accounts changing over time. These things indicate that accounts should have transitory, one-to-many relationships to email addresses, rather than email addresses serving as a key.
«These things indicate that accounts should have transitory, one-to-many relationships to email addresses, rather than email addresses serving as a key.»
The only requirement for the email to be a key to the account is the association of one email to one person. A person can have more than one email, at different times or at the same time. The only thing that can't happen is one email mapping to two individuals. Full circle: the majority of emails do map to one individual and the cases where they do not map, are not enough to preclude the use of emails as keys.
Perhaps the confusion occurs because you think I'm defending email as a primary key for the account. I'm not. It's one key, not the primary key.
That actually sounds pretty hard to believe - Amazon uses your email id as your username for one, as does iCloud. Both services have hundreds of millions of users.
First, Amazon actually allows multiple separate accounts to have the same e-mail address, and will use the password to decide which one you are trying to log in to. Second, using your e-mail address as a potential username (sometimes, one of many possible, as is the case with Facebook or Google, which will let you use any of the e-mail addresses associated with your account or your username to log in) is very different from treating it as your identity, and you can tell the difference when you ask the question "what happens if I lose access to that address, change to a new one, and someone else is assigned the one I was using previously?", which happens to many people using e-mail addresses provided by third parties (such as companies, ISPs, or universities).
My main question is: where is the support for the assertion made in the article title? As far as I can tell, it's just made, and then the remainder of the article treats it as a premise or a claim to be supported only with vague anecdotes.
The proliferation of sites that only or primarily accept social logins seem to suggest that it's not a sound premise. However, I'd be interested to know if you guys have some data that's not shared in the article that suggests it is.
Hopefully someone else will chime in with actual citations, but we've seen a preponderance of evidence from our own user studies, from MailChimp, TechCrunch, and Voo.st's published comments, from Gawker Media's creation of an in-house non-social mechanism shortly after they tried to go social-only, and from private conversations with companies who have daily active user counts well into the millions.
> The proliferation of sites that only or primarily accept social logins seem to suggest that it's not a sound premise.
I'm not sure that necessarily follows. Google's own advertising for G+ authentication touts its privacy features, which suggests that Google also believes that users are uncomfortable with social auth as it exists today.
(Anecdotes aren't data, but they're what I have on hand at the moment. Sorry! Still at PyCon.)
All right. Thanks for this. Best of luck with your talk. I was nervous the last time I gave one and my audience was much smaller than yours will be. ;)
Thank you! I actually gave the talk a few days ago (I'm sticking around for the post-conference sprints), and I think it went well. In the future, I'd love to have hard data ready to cite in response to your question. I'll try to gather some once I get back home.
Thank you so much for this system. I sincerely hope that this gets more traction than OpenID. This is the most essential feature the entire web has never had.
I am very happy with the way persona works, both as an end user, and how easy it is to integrate into applications. I am hoping it gets some good marketing done or whatever is needed to make more sites start using it.
How, today, can I integrate Persona login into my site without referencing any third-party Javascript? Does any solution exist for sites that by policy only load Javascript from the same origin?
I think adding social auth was one of the biggest mistakes we made for the beta of Jetstrap. Users constantly forget which service they use. We added email/pass authentication, but now older users think they had a password when they didn't, and with django social auth you can't reset the password for a social account.
It was one big mess not at all worth it. I'd like to try Persona and see how that compares, but I think normal email/pass is better than plain social auth.
Why don't put the way the user was logged in by last time in cookie and just highlight it next time for him? Or even more explicit - add the "you have logged in this way last time" under the appropriate button?
If a user returns relatively quickly they generally remember how they logged in. The problem is when they come back after some months. At that point, they've probably completely forgotten how they logged in, and have cleared their cookies for some reason or another. It's a standard troubleshooting suggested by many websites. (Not saying it should be so, but it is.)
Tangentially related, for similar reasons Paypal remains my payment processor. Lots of people have Paypal accounts and find it much more convenient to use it rather than haul out their credit card and hand key all of their address and payment info. Every time I think about switching I review how many people use PayPal Express checkout rather than credit card DirectPay (both of which I offer), and I think about how many people simply wouldn't pay if the minimal friction of the PayPal Express button wasn't there on my checkout form.
Totally agree! Because I am not the biggest fan of PayPal, one of the best things I did to speed up ecommerce for myself was to memorize my CC details.
I have recently been converted to the joy of filling in credit card details (and address and phone number and...) with LastPass' form fill function. I previously had my CC details memorized for similar reasons, but I didn't realize just how much time I was wasting typing this stuff in over and over until it was magically done for me. And since security is what LastPass does, I have no problem with having their extension save my CC info in a secure manner.
I am an avid LastPass user and I already have my CC details in LastPass. But, until now I didn't realize you can add them to the Form Fill details! Thank you tempestn!
I'm a technical person and I don't like social login and I don't like creating individual account for every site. What I would like is a decentralized single-login protocol like the article is talking about.
One example of this is pud's launching of fandalism.com. When he announced the site on HN[1] some HNers complained about Facebook only login. But he was still able to get 400,000+ signups within 3 month[2].
Highly likely because MailChimp is a BUSINESS site, not some consumer site. Normal people love to just click a button and see their facebook image and name saying, "Welcome back, John Doe!" - without any pesky emails or other junk.
Aren't most of the people logging into Mailchimp online marketers? Maybe "technical" is the wrong word, but their customers are all in the tech business somehow or another. I think that qualifies.
Agreed -- this article shows not one data point to back-up their argument, but if you do look users actually opt for social login due to ease of access and use. Hell it's what makes paypal so easy and popular -- you put your data in one trusted service, and it works with minimal pain points across any site that requires payments.
Technical person here, and I will use Facebook or Twitter login 10 times out of 10. I do not want to create a new account for your service unless you absolutely force me to.
Wow, my experience and testing was quite different (not a huge site, a few hundred thousand users). When given the choice between creating a new login/password or using Facebook it broke about 70% to a new login/password. Demphasizing facebook login increased conversion rate pretty substantially.
There are obviously hundreds of variables in play here from the content of the site to the fundamental design that may be influencing this.
Interesting! That's what I expected but I think the vertical matters quite a bit. My old startup (http://getpressi.com/) that had more of a tech crowd focus definitely had more people signing up with email while the new one (https://makersalley.com/) has a more general population that tends to like using Facebook.
At this point our total users is in the hundreds so who knows how it'll turn up.
Yea - I definitely agree. Just throwing in my experiences. I will never use Facebook or Twitter if I can help it but in my experience "mainstream" users tend to prefer that to using their email.
The worst offenders are those that lead you into a social login, then post every page you view on your facebook wall. I've learned some fascinating things about my friends' reading tastes this way, but I'm sure they weren't happy about it.
Yes, I do this exact same thing. I really don't want to store password on my side and I'm of the impression that sites like Google, Facebook, and Twitter do this better than I ever will and that most of the users visiting the site will have some kind of account on these sites. Ignoring man-in-the-middle attacks, if one of the above thinks the email is valid, I have no reason not to.
As a disclaimer, though, I've worked on highly specialized apps where the users belong to a certain organization bound by one of the above. For example, I made a website for my school and every student there has an email address that is tied to that school's Google Apps for Edu account, so I'm guaranteed that all valid users (students) will be able to log in via Google.
> We also noticed that users dislike the NASCAR-style
> plastering of branded login buttons.
This reminds me quite vividly of Stack Overflow's login page. I can never remember if I signed up direct, with OpenID, or Google, or whatever else is there.
I've been starting to dig Mozilla and Firefox again lately (the last week of developer tools news cemented that), so I'd love to see their idea take off and gain full adoption.
Thanks! You can help it take off: try Persona out and let me know about your experience. Persona can't be the right solution without outside voices to help shape it.
Of course, if you think Mozilla is on the right track, ask a site you use to support Persona. :)
I rely on LastPass for confusing sites like that one. If it weren't for that addon, I'd never know, for example, which of the 7 or so Windows Live accounts that have been generated on my behalf is The Right One for which website.
I merely bought and installed an xbox 360, and now I have a small number of windows live or hotmail or xbox accounts, I haven no idea which are distinct accounts and which are linked in some way. Ptthht, ptthht. Trying to cancel the auto re-up of their gold account was a nightmare of circular hate. Ptthht.
I usually hate social logins, but I actually like the way SO does it because you can bind your account to multiple services. Now I no longer have to remember which specific one I picked.
Ditto.. I also really appreciate it when you are writing a comment for a blog you crossed in a search. Never been to X site before, likely won't be back.. but like to comment when an article's content is dated, or no longer relevant. Sometimes that gets harder than others.
If you want to run your own Persona Identity Provider (so you can login directly with your own email account and control the authentication from your own domain/site/server instead of having to remember yet another password for the fallback Identity Provider provided by persona.org), here's a tiny little piece of Python code that implements that:
Indeed. The article doesn't make the context clear up front (perhaps because it's on a blog and partly aimed at people who already know what the blog is about), but the author and Mozilla have a solution to that problem that isn't "social". The post mentions it toward the end:
"We built the Persona protocol to reduce data sharing to the minimum needed for the user to easily log in: the browser mediates the login without leaking data to the identity provider. In the end, Persona is the easy login solution that respects users."
Ben is a smart guy, I've read about Persona, and it seems to be really well thought out and to have learned from the failings of e.g. OpenID. I intend to use it the next time I need an easy login solution for users.
I would much rather make a new account with my e-mail than have anything linked to my Google/Facebook account. I'm really uncomfortable exposing other sites to that information.
I don't like social login because I'm not on any social networks. It could be a great service, but as soon as I see that it's Facebook/Twitter/G+ only, I'm out.
That's what I like with Persona, since I've made my personal domain a Identity Provider. I just log on and click okay to authenticate.
Not tied into Google/Yahoo/Facebook/MyLittlePonySocial - but not having to create a new account. Oh, and I own the data (Not the AppData of course though).
We just implemented Persona across all our sites and are very happy with it.
We did it in a way that's completely independent of our normal email/password login as well, but integrates seamlessly. That made me really happy, as the reliability of our system hasn't decreased a bit.
The Persona team was also really helpful, though it turned out we didn't need much help implementing it.
While I'd like to agree, I'd also like to see something beyond anecdotal evidence on this. It'd give me a great excuse next time someone wants a Facebook login and a Twitter login and a Pinterest login [sic] on the same site.
100% agreed -- anecdotal blog posts should not be up-voted to oblivion simply because the community at HN agrees with them. (Though I find it ironic that such a technical community doesn't consider lack of data in arguments like these an issue.)
I love the concept of Persona and hopes it catches on. One question I can't seem to find the answer to, though.
Users are allowed to have multiple emails tied to one Persona account. If they login to my site with one email I will see that email address and can bind their account data to it. If they sign in with their other email address, will I be able to identify them as the same person?
IMO, the whole point of tying multiple email addresses to one Persona account is to prevent websites from figuring out that both addresses are tied to the same person.
This is very important when you're trying to build an identity system that you want every website to adopt. Users want to split up their lives into distinct identities (e.g. one for professional settings, one for friends, one for family, one for a secret hobby...). A viable identity system should allow people to manage such identities with ease and switch between them at a moment's notice, without letting anybody else find out that @lubujackson on HN is the same person as @blowjobs on a porn site or a member of an unpopular political movement. Even if somebody carefully compared HN databases with the porn site databases.
Having said that, people do change their email addresses a lot more frequently than web devs assume. When this happens, they need to update their profiles in every single website where they used the old address. It would be better if my identity were linked to some sort of key that doesn't change, rather than an email address. Likewise, if there is a proliferation of Persona identity providers, some of them will inevitably go out of business after a while. It should be very easy to migrate one Persona account to another.
Persona identity providers should be the email providers. If the email provider goes bust, then that identity is lost. If they only stop supporting Persona, then Mozilla steps in and supports Persona on that domain. I think it's quite an interesting approach.
Alternatively, what happens when someone graduates, changes ISPs, a domain name expires, or they get a new job, and someone later takes control of their email address? As concrete example, if you attend UCSB, you can easily get them to give you saurik@ right now on various of their servers I used to use for vaguely-official UCSB uses.
The problem with Persona is that they simply don't seem to understand that for real people, email addresses are just a convenience, not a canonical way to maintain identity. They also fail to see that even people like myself, who have carefully tended an email address for well over a decade, are not immune to this problem.
What is the alternative, then? That's the million dollar question. Even phone numbers, which have a large personal switching cost are ephemeral for many people. SSNs or other government mandated IDs are not acceptable. I see no better alternative.
First, you seem to have immediately disciunted standard usernames, which have flaws, but are not "fundentally flawed". Second, you seem to assume that the primary key has to be something the user even knows; I do not. My Facebook account has a number: that number will never change, no matter what I do to my email addresses or even if my Facebook username changes; that number, and that number alone, defines my account. I will be honest and say I actually did have that number memorized a long time ago, but for years now I have not known it, nor would 99.999% of Facebook users. The same is true of Google's account infrastructure (which even has much much longer numbers). When you use OpenID, you get back an opaque string, which can be arbitrarily complex and encode whatever is required by the federated identity provider. There simply are not fixed identity nodes for people: you have to make them.
Sorry, usernames are not identity providers, they do not cross system boundaries. Perhaps we are discussing different problems.
Facebook is one identity provider. I'm not comfortable having all of the Internet, to use a reduction to the absurd, dependent on Facebook. Persona is distributed, which is, for me, a primary requirement for an identity system.
"Sorry", but you just moved the centralized identity to a different location, you aren't magically removing it: in fact, you can't magically remove it, because there is no such thing as a universal canonical form of identity. If there was, we would just use that instead of all of these more complex forms of identity we build up.
In the case of the e-mail address, you are moving it to the person providing the domain name the e-mail address is on; this is thereby explicitly why I brought up OpenID--which you seem to have totally ignored--as it is also a distributed system but yet it doesn't force the incorrect assumption that Persona does (specifically, that e-mail addresses are canonical identification mechanisms for users, and so nigh-unto encourages opaque tokens to be returned).
Let's put this another way: you seem to believe that there is a way to assign a token to a user in a way that works for them no matter where they are. I believe that that entire concept is a fantasy. In particular, I believe the one that Persona chose, which you seem to want to defend, only works for a very weird subset of users that are technical enough to understand that others make this incorrect assumption, and then organize their lives around it.
In comparison, once you assume that there is no such identifier, you start asking how you federate the choice, and you end up with the idea of "identity providers". However, you now have no stable way of holding on to identity as you change providers. I maintain that is an unsolvable problem, and it should be treated as an unsolvable problem: the concept of an identifier that can cross multiple identity providers is, again, a fantasy.
So the result is that you now have to ask the question of what identifier is used within an identity provider. I maintain that e-mail addresses are a horrible horrible choice, as they are known to be something that the people who provide them are known to reuse, and they are things many users want to be able to change often. Instead, it should be encouraged to make the token entirely opaque, with a requirement in the spec that "this token will never get reused by any other user using your identification provider ever in the future". AFAIK, OpenID states exactly this.
And yet, when I go to log in to a website using OpenID, I can select Google as my authentication provider, and then log in with my e-mail address. Later, when my e-mail address changes, I'll be able to log in with a different e-mail address, and Google will assign me the same OpenID identifier for my federated login with other websites. You end up in a similar boat if you use the various OAuth flows that other companies use, such as with Facebook, then using an API to get the stable identifier (which for Facebook is a number).
Look: I maintain a website with tens of millions of worldwide users, and I only have federated login. I deal with the issues of federated login day in and day out. I deal with users from very diverse user communities, and I see how they treat their e-mail addresses (as sadly, Google will not let you change your Gmail address without getting a new account, so a lot of users are forced into situations where their identification changes when there was no real reason why it should have been required). When I look at Persona, all I see is a support nightmare due to a fundamentally invalid assumption.
A touch and flee commentary roughly touching many important aspects of identity management, with lots of assumptions with which I disagree. It'd take me a while to deconstruct all of them correctly, so I'll try to aim just for the most important points.
Your central point is that, for a given identity, there is a set of emails that map to that identity (N-1 relationship). Moreover, this set is itself volatile, as people add and remove emails to the set that maps to their identity.
There is no relation of one person to one email (it is one to many). This was approached during the discussion, and I believe you agree that this is not an issue.
There are cases where the relation of email to person is one email to many people. This was approached during the discussion, and it just invalidates the usage of group emails as identity identifiers (stuff like info@example.com). It does not preclude the concept of email as identity identifier. I believe you agree.
Where you have a specific point against the usage of email as an identifier is on the fact that the email is volatile. Volatility is a flaw, which must be worked around, but it's not a showstopper. Further, there's absolutely no evidence that a pure identity provider, such as OpenID, wouldn't be as volatile as email. It does not have the scale needed to prove non-volatility yet.
I think we agreed on the point about natural/surrogate keys.
We then briefly touched the question of identity provider (up to here the discussion was about the identity identifier). I think we agree that the provider must be distributed, hence your reference to OpenID (albeit the reference to FB, which I think was related to the point about natural/surrogate keys).
Briefly, in summary:
- The identity identifier must map one identifier to one identity. (ok for emails, ok for OpenID, ok for most auth providers such as Google or FB)
- The identity provider must be distributed. (ok for email and OpenID, ko for Google, FB and other social networks). Social networks are not acceptable because they are not distributed enough. Were there as many social network providers as there are email providers, on a on open ecosystem, where users could run their own social network on their own domain, social networks would be acceptable.
- Identity identifiers must be memorizable by users.
And here, on this last point, is the crux of our disagreement. You are of the opinion that, since emails are volatile, users will forget their previous email, or discontinue its service, and will be locked out of access to their indentity on services tied to the email. I am of the opinion that users will never remember (or include in their daily routine) yet another identity identifier (the OpenID URL, or any other identity specific service).
The fact of the matter is that space in consumer minds is limited (heck, marketing is a whole field of study on grabbing a share of consumer mind). Being limited, you have two options:
a. Aim for the ideal scenario, go for OpenID or other pure identity provider, aim for theoretical perfection, and risk no adoption because users can't be bothered to use it; or
b. Use the one identity that already exists, that users already remember, that almost fits the bill, and work around volatility, the only big hurdle, by having the ability for users to change/add/remove emails (identity identifiers) associated with each account. This is the approach of Amazon or Linkedin, for example.
Aiming for a), while theoretically optimal, introduces the failure scenario of users going for the other identity that already exists in their daily routine: Facebook/google accounts. This is a catastrophic scenario.
Optimum is often the enemy of good.
Look: You brought a smile to my face with the reference to a tens millions of users site. It's a vain appeal to authority. I also manage a tens of millions of users site, with both federated and native authentication.
First, nothing in this description/recap touches on my original complaint--the one that started my involvement in this thread and which was your first reply to me--that e-mail addresses get reused, and thereby are dangerous to use as your canonical identification identifier; you mention that they are volatile, but you fail to take into consideration that they are sufficiently volatile as to be lost and reassigned to others. I cannot tell if this was simply ignored or actively dismissed.
This is for two reasons: first, because they are tied to the DNS system, a system that is subject to political and economic issues. Tying the namespace of users eventually to the DNS system means that if a domain name is lost and then owned by someone else, that they are now in control of the identities of everyone associated with the domain name.
There is no reason this needs to be the case: a sane federated identity system, in my book, would solve this by tying identities instead to a private key that is stored by the authentication provider. Thereby, if the authentication provider goes out of business, their key would be lost, and would not be reassigned to anyone willing to pay $12.
Secondly, your fundamental disagreement is about the ramifications of a bullet point I never agreed with (as opposed to, seemingly, about whether we see eye-to-eye on that bullet point): I do not believe that identity identifiers must be memorizable by users, I believe that only the presentation identity must be memorizable by users.
To demonstrate the difference, I am 116098411511850876544@google and 3614794@facebook. However, despite the fact that I log in to numerous external websites using these authentication providers, I have only at occasional times remembered the shorter Facebook number, and I have never remembered (nor do I believe I would ever remember) that Google number.
Yet, all I need to log in is my e-mail address. Yes: I end up using my e-mail address to log in. However, the concept of my identity is not stored via that e-mail address: that's just one of the many things associated with my account at the authentication provider, and it will change over time. I could use any other identifier, including crazy ones like "what were the last three things you did on this website, and give us a list of at least five of your friends" (which is similar to something Skype once used to verify that I was the owner of my account when they thought it had been hacked by someone trying to steal my credits).
In fact, despite being one of those weird tech people who have actively avoided changing my e-mail address in nearly ever, I actually have changed my Facebook e-mail, as originally Facebook was for students only. Therefore, my account was originally connected with saurik@umail.ucsb.edu.
However, I later changed my account to be attached to saurik@saurik.com, which I consider to be "mine". Then, at some point later, long after I graduated, UCSB removed my access to my old student accounts, and I'm pretty certain will happily give them to others. Of course, this means that for any website that considers e-mail addresses to be related to security or where it can be considered a canonical store of identity (although I maintain that this second category is actually very rare: only Persona seems to make this mistake) that I may have forgotten to go find and update, I'm now screwed: someone else can access my account.
Now, when I log in to Facebook to third-parties that I previously logged in to, they still work. They still work, because Facebook, unlike Persona, did not ever use my e-mail address as the canonical definition of my identity. None of the tons of websites out there that I've ever used Facebook with ever even saw saurik@umail.ucsb.edu, and if they did it was metadata associated with my account: it wasn't "my account".
This is a critical detail. The different is enormous, and is especially noticeable due to the way Persona is designed, where you don't even really need an active third-party to manage your identity, and are instead supposed to be able to just magically use any e-mail address: some e-mail addresses would suck even worse than others (example being my UCSB address), but any e-mail address is something that is volatile.
You need that middle-man, even when you are federated such as with OpenID (or via OAuth with random APIs for identifiers), in order to isolate the volatility of e-mail addresses from the people handling federated login. Otherwise, you end up in federated hell, where every time a user changes their e-mail address instead of contacting one party, they have to contact every party, defeating the entire point of single sign-on.
To take a concrete example of this, I received a support e-mail from someone saying that they are changing their e-mail address redacted12323@gmail.com (yes, with a random 5 digit number at the end) to redactedqredacted93@gmail.com. As Google internally does not understand this very argument that e-mails are something people want to be volatile refuses to let you attach or move around Gmail accounts to Google account identities, this means that their identity on my site changed, and I had to reassign them. I did this, and seriously two days later (today) I received an e-mail saying that they have lost access to redactedqredacted93@gmail.com and now want it to be redactedqredacted94@gmail.com.
In contrast, when a user changes their Facebook username (which is equivalent to changing their Google username, and changes their @facebook.com e-mail address similarly to their @gmail.com e-mail address), they don't need to even think about how this affects other websites, as Facebook doesn't map e-mail addresses back to the identifiers that they return: they return an opaque number. This is glorious: they get it; they make the value of federated login actually be a benefit for users and for websites. Some entities in the system (and not just one: hence how Facebook, Yahoo, and Google can all provide this service) can thereby specialize in maintaining and controlling identity, and other entities in the system can spend all of their time consuming identity.
This means that the user has to do less work, and the website has to do less work: win/win. In your scenario, where the e-mail address is canonical, the user has to go to every single website and update their identity, and the websites have to provide systems to let users do this (which isn't even something that cleanly automates given that almost every time people bring this kind of issue up to me, it is because they no longer have access to the old account, and thereby can't use it to authenticate at my site anymore).
At this point, you might now argue that "well, that's OpenID, and OpenID failed". First, it isn't clear why it failed: Yahoo claims from user studies that it failed because the UI for it was so horrible, and that made a lot of sense to me. They even recommended a potential solution to that problem, and its a solution that I don't think is inherently worse for anyone than Persona. It certainly isn't clear, however, that Persona makes any sense. I in fact just tried to use Persona, and I found it horribly confusing; and in the end actually haven't succeeded in logging in to the website in question (at some point in the flow I seem to have caused a persistent error that now won't clear). It certainly was more complex than using "classic" federated authentication, and it seemed like that complexity was directly related to the website in question having to go further out of their way than they did with previous solutions to abstract the identification tokens (my e-mail address) from my account.
Finally, my point about the tens of millions of users was not in regards to an appeal to authority: it was a defense to the actively condescending tone of your "sorry", which I found to be downright belittling and inappropriately unrelated to my arguments (hence the "look" at the beginning of that clause). That "sorry" you added is a rhetorical construct that does nothing other than to annoy your opponent (hence my repeating it back to you in quotation marks for emphasis to demonstrate that "I noticed"). Think of it more like you patting my head and going "kid, I don't think you understand" in an attempt to turn my youth into an argument point, and me feeling the need to say "look, I'm over 30, I'm not a kid anymore". I found that "sorry" so bothersome that I will be honest: I was downright shocked when you were willing to even go down a point-by-point argument rather than just turning more rhetoric back at me; I was absolutely certain you were just going to flip me off again in your reply to my further-argued comments, although I guess I sort of feel you did anyway by calling me "vain"... :( I am not certain why you feel like belittling and insulting me directly (as opposed to my arguments) is a logical argument path :(.
The "Sorry" had no ill Intention. My apologies if I conveyed the wrong meaning.
Anyhow, I now fully understand your position. I still maintain my point, and further discussion would only be useful if accompanied by beer. All in all, it's the ever present tug between theoretic perfection and real world constraints. It's doubtful this back and forth would ever reach an acceptable compromise.
Users always complain about social logins. On iOS apps that I've built, I've found Facebook login to have something like a 50% conversion. I'd be curious to hear whether or not the conversion is improved by using Mozilla's Persona product. Is the only sales pitch here that the login is managed by a non-profit organization?
Not sure how that makes this a better product overall. Can anybody clarify?
Major difference: Social auth outsources your user table. Persona outsources your password column. You still have your own users, and you still have a portable identifier for them.
What's more, Persona is built as a fully-decentralized architecture with a temporary centralized fallback. That means that one button can support all users, via their email provider's native authentication mechanisms (in the future) or via Mozilla's centralized fallback (for now).
I don't understand your first point. How can you have an app function without a users table?
The main issue as I see it is just the baggage that comes with a private company login. For instance, Facebook login raises questions about what Facebook will do with the login information, and also what the site will try to do with your Facebook data and permissions. Those questions will increasingly become a concern for everyone, but beyond that some people have opted completely out of Facebook because they find it actively harmful and so they are excluded a priori.
Persona is simply a login mechanism with the users interest in mind. People may take or it leave it, but it will be on its own merits rather than being overshadowed by needlessly related general concerns with a third-party product.
This lets you use Persona to authenticate to non-web services such as IMAP, SMTP, SSH, NFS, CIFS, etc. We (or should I say, I) are pretty excited about it!
Just a random data point, but one of my apps with a definite non-technical demographic gets 97% of logins via facebook, 2.5% via twitter, and 0.5% via email/password registration. I haven't tested it obviously, but I don't think removing Facebook login would do much for conversions.
There's an "evil" incentive to have social logins such as Twitter + FB. It gives you a free access token, which can be extremely useful, especially if you're building a social media analytics service, or some sort of tool that requires making API calls.
"Lesson 2: Social Sign-in is Better Than Email Sign-in
After dozens of failed A/B tests to improve the conversion rates of our landing page, we came up with the idea to enable social sign-in (i.e., signing up for a Buffer account and logging in using your Twitter, Facebook or LinkedIn account).
After all, Buffer is for posting on Twitter, Facebook and LinkedIn so it only seemed logical that our potential users would be able to quickly and conveniently sign up using one of their existing accounts."
This is exactly what I said to Ben when we implemented Persona at PlayCanvas.
Social logins might be OK if you are making a photo-sharing app or a social newsreader, but if your business relies on _companies_ signing up, my suspicion is people won't be comfortable signing up with their Facebook account.
We wanted the benefits of a secure login system without all the social baggage. Persona provides that. Though we also support Google OpenID as lots of people already have a GMail or Google Apps account.
As an aside, I won't sign up for _anything_ using Facebook, I simply don't trust them or the app not to broadcast my every move to people.
I really hate when my identity is provided to me by some third party. It universally applies to both social networks and Persona. I don't like the very idea of leasing my own identity.
This said, I really wish Persona project will fail as much as possible.
I only hope there'll be a day I'll finally truly possess my own network identities, and third parties (social networks, email providers, etc) will act as notaries who just assert them for others to verify.
> I only hope there'll be a day I'll finally truly possess my own network identities, and third parties (social networks, email providers, etc) will act as notaries who just assert them for others to verify.
If you have your own domain name, that's exactly what Persona does. The protocol is completely decentralized. Mozilla only provides a fallback for domains that don't support Persona.
I believe domain names are still inappropriate for identities. Even XRI i-numbers was a better idea.
One just can't own a domain name. It only can be leased for a limited time, for a price, and even then, at least in some TLDs one can't be sure the lease won't be revoked at someone's whim. There's no real difference whenever one leases email address from a provider or domain name from a registrar.
Maybe I'm overzealous about it, but I really wish to be the source of my own identity and posess it like I posess my GPG key.
I had high hopes of seeing data and research (no offense, TechCrunch) to support this claim. I'm in the camp of not liking social authentication, especially when it's the only option, but I'm also a sample set of 1.
I agree very much with this. What I do is use "dummy" facebook, google, email etc accounts to log into sites that either require social logins or make it easy to try with social logins, but that I don't trust yet.
I am generally suspicious of sites that require or "encourage" logins with social details.
I'm 1Password user. I dont' have to trouble anymore with logins nor selling my ID to Facebook, Twitter or Google. I only use social on those apps where the owners think you only need Twitter/Facebook as the option to use their apps.
"Users don’t like social login" should actually read "Some people don't like social login in some contexts - other people like it, or even prefer it, in others".
At least that's what I've seen in user testing... but that's not as interesting I guess.
With regards to the last point - privacy from your identity provider -- isn't that somewhat moot for most sites as they have those facebook/twitter/google+/etc share/like/plus icons that report back anyways.
The point about having multiple providers and forgetting which one you used rang true to me. My gotos are twitter, google, or github and it seems I change based on the type of app I'm connecting with.
Surprisingly companies are finally realizing this. Like companies really thought people would not care to give away all their 'social' unneeded information for some random x or y service.
That is absolutely true, or at least I think it is. The single best thing we did it to allow our customer to do a purchase without being logged in.
If the email address entered on our checkout page is already in our database, we link that purchase to the relevant account. If the customer want to login, they can, if not, that's cool to. We get a lot of wrong matches which needs to be fixed, but that seems to be a price we can and will pay.
We have had customer adding orders to other people accounts, because their email address was entered wrong ( even though we require the customer to enter the email twice. ) and we have customers ending up with multiple account that we need to merge. Despite all the problems, customers love not having to log in before doing a purchase. It's hit and miss in a few cases, but we try to do what our customers expect, matching their purchase to their account, regardless of login credentials. That's what consumers want.
We did the same thing with one of the sites at work... You can make a purchase without login, and the related emails to a given order includes a token so you can see that order's status without login.. If there isn't an account at that email, we generate one with a few space-separated random words, and email the user... password recovery is email only and pretty easy. All in all, the user experience has been pretty well received.
Now that I've seen this in practice, it would be my preferred way moving forward. It didn't/doesn't take that much effort to do things this way. The bigger issue is in the occasional phone order our demographic is mostly men 50+, so some genuinely don't have email.. we use an internal address in that case...
My favourite online tea store does this too, and it's one reason I ended up eventually creating an account with them. anybody who dies this automatically gets a credibility boost in my eyes.
I learned today that StackOverflow (and company) have responsive support persons who respond via e-mail, that will help you recover and merge your cookie-based StackExchange accounts if you've lost access and there is sufficient evidence that they belong to you. (I thought I had registered the account under the myid.net provider (who is now defunct?) but no.)
That has to cost a lot of money. With the dozens of ways you can authenticate with StackExchange, I don't know why I was surprised to learn I had previously created an account without actually creating an account, but it was so.
Also, anyone who reads Korean can tell me if this says "sorry we're closed"?
What is infuriating about the stackoverflow sites is that they treat each site separately so you end up with multiple logins across the "network" that you really don't care about. Then they do that annoying thing where they display the page, then detect you are "logged in", and then tell you to refresh.
That site is very good at Q&A, but UX wise it's terrible. It's as if they've only ever tested it with their own devs, and never done any real hallway or external usability testing.
I've tried to participate in their "meta" site, but the pedantic and condescending tone there is even worse than it is on the main sites.
Furthermore, Atwood seems to take the success of the platform as a ringing endorsement of all its characteristics, as evidenced by the recent commentary on user experience and the development of his forum.
Bob Martin's recent "And I'm very sorry that when you finally brute-force your way to some modicum of success that you will credit your bad behavior, and recommend it to others" has sprung unbidden into my mind once again ...
This seems likely. Still, with a bit of planning they could have gotten around this. Everything dealing with identity could have been served from a single domain. There probably would still have been issues, but they would have been resolvable.
Yes! I hate it when I have to register for a service, wait for the email activation link only to find out that I that the service isn't for me. Then I have to delete the account and wait for emails to come to unsubscribe to those.
Even worse is that many times you can't delete your account, or if you can, it's just a soft-delete -- and now that site has your email address (at a minimum), and sometimes may have much more information about you.
Call me paranoid, but I think "deleting" your account has the potential to actually do more harm than good, since in doing so you are voiding any agreements or terms that you had previously agreed to, including those that promise not to sell or otherwise abuse your info.
I use mailinator for pretty much every site that wants an email address. Pick an obscure enough address and your risks are minimized to practically nothing but you get all the convenience of "deleting" your account simply by never thinking about it again.
The simple fact that one would have to jump through so many hoops just to try out a new service means that the system is broken.
It's like making you buy a car without allowing you to take it for a test drive. At least the reasons for photocopying your license before taking a test drive are understandable.
I have a domain with a catch-all address, and so I just makeup addresses to use on the spot, but I know people like me and you are in the vast minority; none of my non-tech friends and family would ever do this. Also, sites like mailinator are often banned from sign-ups.
I actually have a domain like that too. I just like mailinator because I know I'm never going to want their email so I don't even have to put in a rule to block out.
On a related note, some spammers have really done a number on me. First they impersonated thousands of addresses at my domain in the form of xxxxxx@mydomain.com where x is a hex digit. This is despite me having DomainKeys and SPF enabled. So not only did I get a lot of bounced spam to my catch-all, the spam that went through ended up in places that other spammers picked it up as a valid address so now I am getting spam sent to those randomized addresses.
At first I figured I could put together a rule to block all hexadecimal address of six digits but it turns out that at least another round of spammers started using the full alphabet and variable lengths.
I've come to the conclusion that I'm going to need to include a cookie in the addresses I use - so instead of dropdox@mydomain.com and amazon@mydomain.com it will be something like DOQ.dropdox@mydomain.com and DOQ.amazon@mydomain.com - addresses without the cookie get binned. But that's not going to help with all the addresses I've used over the last 15 years, and haven't kept track of.
I know this will not work everywhere (not everyone implements correctly the RFC's regarding e-mail) but if you have an address, you can make up addresses on the spot by using the + notation
eg messages to myrealemail+mytag@gmail.com will always be received by myrealemail@gmail.com
I too have a domain with catch-all, and I do that rather than using the + notation, but it's something you can teach your friends who would never do that.
Yeah, I'm counting on e-mailers to send mail to the address I give them. No, I don't expect folks to send me spam unsolicited, or sell my address when I give it to them. I don't consider my name or e-mail address to be secret, and I'm also counting on anyone who sells my contact info to be doing it in bulk, not paying enough attention to strip out +tags, and by passing the address to spammers unaltered (or losing control of their database), give themselves away when I start receiving spam at that address.
Honestly I don't use the feature very often and I had not considered it to be a security measure before. Maybe novelty is the right word.
If I give myaddress+dropbox@mydomain.com to Dropbox, and they mail me from different addresses, I would be able to catch them all and put the "Dropbox" tag on them all, rather than having to make a filter for *@dropbox.com or some other extraordinary measure for classifying their mail.
It's part of the RFC, and supported by every mailer that I know. What part of this technique seems like obfuscation?
I guess that's the disconnect, because I do consider my email address secret -- since it is 1/2 of the information required to access my Google account, I take great measures to make sure that outside parties never see it (as best I can). If I can prevent any site from ever knowing that address, then my chances of being targeted (phishing, brute-force, whatever) are drastically reduced.
So, if you only use +tag for your own personal organizational purposes, then have at it! But if your goal is to conceal your account ID with Google in the interest of personal security, then you really need a better angle.
One could use something like a copy-and-pastable session/state string/encoding (that a user should keep secret, if secrecy is important to them) at the bottom of every important page that a person might want to return to (rather than in the URL or the invisible, and therefore unmanageable, cookie). If they care enough to save it, they have an account (ex, they don't have to fill in their shipping info for the 9th time...). If they don't care enough to save it, it can be automatically deleted after a period of inactivity. (This was a common solution to "saving state" in older video games without persistent memory. It wasn't "too complicated" either. People used it, if they wanted to get back to that difficult boss level.)
A login is a continuation, or a state/session key. So is a link/URI. There's no need for a mandatory "account" just to be able to pick up where you left off, even if it's to continue checking your email. (Though one could opt-in to further "protect" pages with passwords, biometrics, non-invasive mucus swab samples, and so on...)
As hard as remembering different passwords for different sites is for the end user, I really think it's about time the user took a step toward meeting security and engineers in the middle.
Did 20th century humans think key rings were too complicated? Why are we implementing tokenization, one way hashing, etc. when the end customer can do this much more securely? Oh yeah, we'd like to get at their data when they're not around..
Exactly. But sadly you're in a tiny minority of people thinking about the security implications. Most developers don't: which is why we're having countless OAuth exploits and whatnots.
Schneier wrote a long time that anything too complex cannot ever be secure. That's the case of OAuth and of many federated/unique/single sign-on logins.
I doubt users really care about what type of login they use. Instead, users are starting to associate social logins with spammy bullshit, federated identity marketed shitfest of Web 3.0, built on the SAML/HTML5-based Intelectual Property and right forfeiture platform.
I actually do not login to website that asks me login either using Google a/c, Facebook or so. Twitter being an exception because everything at Twitter I've anyway made public, but I hesitate still.
That's a strange opinion to have though, because before doing login through either of these services, you will be asked if you want to give that app permission to certain parts of your account. For example, I might have you log in through Google to verify your email and I don't see a reason why you wouldn't let me see it; you've already shared your email with my app to register an account in the first place.
Most of the website, do not just ask Email. Most ask other info too, like my DOB, full name, Other Profile information. And when I say I "do not use", I am talking about the first time logins of course. I don't really know what kind of a website it is, legit or just a vapour. And I do not know in advance what information it will ask.
Take the example of The Old Reader, till recently they wanted to take control of your Contacts too(along with Reader; now they don't). I knew it once I was at past the Google SigIn page(and I aborted right there). It was frustrating even for those few seconds. Many do this.
So, I have given up on them altogether.
I mean I have OpenID accounts set up especially for this with the data I would like to provide for this. There Mozilla's Persona(it's Identity Management System)- etc. Why not use these?
And do not even get me started on Facebook. I don't open a website again if the only way to login was via Facebook. Paranoid? No, rather pissed off. (By the way, whenever I tried using Facebook logins the above mentioned problems surfaced only in bigger multitude).
Because everyone has Google, and the lowest setting on Sign in with Google+ contains some personal information from your account, including things like DoB, Full name, etc. Google recommends OAuth2 over OpenID for authentication, and I'd rather be using the service Google supports the most in order to provide the best experience to users.
Just because you use OpenID and Persona doesn't mean that the majority of people will. But the majority of people will have a Gmail account, or a Facebook account.
The biggest problem with "social login" ain't about advertizing companies like FB and Google having all your infos.
The biggest problem has actually nothing to do with social: the problem is security of all these single-sign on / unique ID.
We're in 2013 and hardly a day goes by without a major security exploit found affecting Rails, Java, OAuth, Flash, etc. There are so many botnets out there that sites we rely upon for our daily workflow are getting taken down (GitHub)...
Yet people don't talk about security. They don't even mention it. Not in the TFA. Not in this thread (besides two insightful comments).
As long as people will keep thinking that they can put all their eggs in one basket online and "really really have this basket by hyper-secure" we're gonna be in big trouble.
It doesn't help that several people on HN are selling snake-oils products "put all your passwords in this unbreakable app, we guarantee you nothing bad could ever happen".
> As long as people will keep thinking that they can put all their eggs in one basket online and "really really have this basket by hyper-secure" we're gonna be in big trouble.
That's why Persona is based on a federated protocol: it's designed to spread your eggs across many baskets, and it even lets individuals bring their own basket.
I use Persona on my costs-real-money subscription site[1] and I'm very happy with it. Integration was easy, the user experience is pretty good, and it's been stable and reliable. The best thing, of course, was not having to implement my own password-management infrastructure, which saved me a ton of time, as well as insulating me from the hard security problems that come along with such a beast.
If you decide to try Persona, I heartily recommend it. There are a couple of gotchas to be aware of:
1- On iOS, only Safari works due to Persona using a pop-up window for login. People using Chrome on iOS will get a confusing "relay frame not found" error.
2- Signup flow could be better. When users create an account, they get a confirmation email. Clicking the link in that confirmation email redirects them to the Persona site, not back to your site. It's possible this is configurable and I haven't figured it out yet.
3- Persona emails are case-sensitive. There's some rare issues that occur as a result. At one point, it could crash the login, but I believe that's been fixed.
Don't let these flaws stop you, though--Persona is very well done and constantly getting better. I've had hundreds of people sign up for paid accounts and only two have had trouble to the point of asking for help. (And nobody's cancelled their subscription because of login problems. :-) )
[1] Let's Code Test-Driven JavaScript, letscodejavascript.com