It's unfortunate that signing up via Facebook or twitter or some other OAuth method gives people such a creepy feeling. It sure is a lot more convenient for everyone involved: don't need a password, no email confirmation, sometimes it's one click and you're in.
I feel like Facebook screwed this up for everyone when people's feeds were covered with apps their friends were using. Now when a site asks you to authorize it with facebook, users don't feel like they can trust what it's going to do.
We had this discussion when we were talking about web based IDEs here on hn the other day (can't be bothered for the link). I like oauth, but I hate clicking "sign in with {Facebook|Twitter|Github}" and then being asked for a user name and email address. This is redundant and nonsensical...
Most app people are very happy to immediatly use the account email to send you stupid personalized followups, aka "Peter From Lame-App".
If it would be "click, see and forget" - OAuth signup would be great, but being required to accept spam really breaks the deal. I am not sure if too many people share that feeling, but it really bugs me.
The issue you point out with aggressive App spam on facebook is different with other services, I feel. Twitter Apps usually ask whether they might tweet something in my name. So I believe you are right, facebook might have screwed this up a little.
I'm working with OAuth right now and the only info that I'm not being given that I have to ask for is an email address when the user uses twitter. Twitter doesn't give you an email address, and you cannot ask for it, so the only option is to ask for it. Which makes things harder on my end.
It really feels redundant and makes me wonder what the Twitter team was thinking.
As a user of these services I can stay that I am very happy about this *(I didn't know, but somebody here on hn claimed github auth did the same thing). This is exactly how it should work. What on earth is your excuse to really need my email address? I am sorry if I sound rude, but this behavior enrages me somewhat.
If you wish to track data that is connected to my identity, i.e. provide continuity in your service, store some stuff that I made, settings, preferences, you don't need my email address.
If you really wish to communicate: Talk to me on twitter, it's nearly public! With oauth you receive a token as a representation of my identity, not my email address. If you really need an email address - then why do you need oauth?
If I go to a store to just browse through the shelves I don't have to give the clerk my telefone number. Why would he need it anyway? To annoy me every once in a while and bully me into visiting his store, which I voluntarily entered in the first place?
Here is a positive example:
- Go to iron.io
- Log in with your twitter account
- Nothing happens: You can use the app and they show you around pretty nicely.
Yet Iron provides a service upgrade, which requires credit information. They ask for it, specificly when they need it: When you want more from their service. In that case you have to provide them with the info.
This is how websites could handle this issue. Log in with oauth. If you REALLY personally need to contact me, then you can ask me later. Not upon login or to distinguish me from other people or provide continuity.
Emails are communication handles. They shouldn't be a poor man's surrogate database primary key.
I remain very curious: What does _your_ service need my email address for?
A user deletes their Facebook or Twitter account. I don't have their email address. They try to login and can't. They have to now email me and prove to me which account is theirs so I can reset the password, give it an email and let them regain access.
The account may be a free account but it can still contain data a user wouldn't want to lose. Ensuring from the get go that they can recover their data just makes things easier.
Regardless of how legitimate you think my usage of email addresses is the inability to even ask for it _is_ a downside. For those use cases that do require it immediately you now have a system where the user clicks the 'Login without filling in a form' button and gets thrown to a form anyway, which is exactly what we were trying to avoid.
Well yeah, a crime - or should we say contravention - that we are all guilty of at some point in our professional lives.
Depending on how many users his service has, this could be a significant amount of work, even though the absolute probability of it happening is very low.
I see, you are asking for the email address, so that people can unlock their account in case they delete their oauth token provider (i.e. their tw/fb account), did I understand that correctly?
But do you have to do this whenever a completely new user tries to access the website? Is setting up an alternative access method not a very different concern?
Similar to how google asks for a phone number eventually as a back up convenience in case you get locked out, would dong the same with email make sense? That seems like it would build trust and give the user control over their own risk.
Because years of anti-phishing training has taught us that typing their FB password in the wrong place gives out complete control of our FB account.
So the only safe thing is abstinence. Don't type your FB password anywhere but when logging in directly to https://facebook.com
As you say, the whole point of OAuth is that you can safely use your FB account to log in to this other site. But -- to take this metaphor even further -- each time I encounter one of those things I always feel like a teenager being pressured into sex and being told "don't worry, this is safe, I promise, I love you." And I simply just don't know.
I'm confident I could recognize that www.facebook.com.scottba.io isn't Facebook, and I could probably train my parents on how to recognize that. But there has been extremely little user education on just what a "safe OAuth" site looks like. It's now putting an asterisk on all the old rules.
Theoretically, if you are using OAuth facebook login, then on the page you are prompted for a Facebook login, you should be seeing facebook.com in your browser location bar, with the trusted https "green bar".
But I realize this kind of anti-phishing checking is beyond most users, and "Just don't enter your facebook password anywhere but when you are logging into facebook" probably IS a good heuristic for them.
I also don't know if some facebook oauth login paths use some kind of fancy ajax window-in-a-window so you _don't_ actually see facebook.com in your address bar -- which would make it pretty impossible for users to know if they're being phished or not.
> I also don't know if some facebook oauth login paths use some kind of fancy ajax window-in-a-window so you _don't_ actually see facebook.com in your address bar
This can never happen, because of the situation you highlighted. Most browsers do not let you do that anymore.
The site could be faking the chrome so it looks like a separate pop-up, when it's actually just a div. Most of us would smell something wrong because it wouldn't be quite right but you could get reasonably close for non-developers.
I went looking for sites using facebook logins and found this one just as the first unlucky example: http://www.nydailynews.com/login Once you know the browser and OS, it wouldn't be too hard to get something mostly like that pop-up into a div.
Even if they realize there is a consensual relationship going on between newsite.com & facebook, people don't know what's going on. Does this give newsite.com the ability to see my friends? Spam them? Does this give facebook access to my newsite.com stuff?
Is 'sign in with google" like that time linkedin had access my gmail and spammed everyone?
I think that's a grayer area than phising and something more people have actually been bitten by.
Not very often, let's say 20% of the time, I decide that the signing in some site to comment on a blog or create a quasi-account using Facebook is unlikely to be a privacy problem: I'm willing to give site X my main email address, even to receive newsletters and commercial offers.
At this point, Facebook asks me to share my friends list (often much more) with site X: the only rational response is scrambling for the "close tab" button in the browser and writing off site X as untrustworthy jerks, because they dared to ask for unneeded personal information.
Creepy feeling. Well guess what: apparently something that you say on FB which anyone finds offensive can lead to your FB account being disabled, without warning or official way to appeal.
Now tell me again, how convenient is this global login that can at any time disappear from under your feet?
GMail is mostly used for e-mail, which is something of a private conversation between (usually two) people. Facebook posts are quite the contrary: public, visible to the world at large, plus the users are actively encouraged to flag items they dislike. Now don't get me wrong: this is quite necessary for a social network - but using the same social network as the Universal Login For Everything is where this very feature becomes the SPOF.
Also, whereas GMail is not inclined to police the morality of its users, FB is. Not the same as data-mining, not the same as "legality" - for example, you have repeatedly used a word that FB retroactively considers a bannable offense, say goodbye to your account; or you have, a long time ago, posted pictures that are considered indecent under the new rules; or enough other users maliciously coordinate to flag an innocuous item of yours - and the banhammer falls automatically.
Moreover, GMail != e-mail: you are completely free to register with any of the bazillion e-mail providers, there is no need to use GMail; as for Facebook, there is only one.
I don't user Gmail either, partially because I just think the UI is terrible but primarily because I don't want another company controlling access to my email.
Also, a single point of failure. A social network goes down - oh well, not much of a problem. Your users are locked out of unrelated functionality - now what?
It's not unfortunate. People use the internet in different ways because they're different. Today I got an email from Atlassian, saying "Your repository, blog, has missed you." Some people will think this is great. Some will be irritated. I was amused by the anthromorphication of a file structure in an attempt to lay a guilt trip on me in order to bump numbers for the expected IPO. Bitbucket is just a tool in the toolbox. I've got a steering wheel puller that I bought when I had to replace the ignition cylinder of my 1974 Monte Carlo. I haven't used it since 1986. Heartless? that I am.
So color me skeptical. It's good that I don't use Facebook or Twitter to log into your site. They successfully filter me out from the sort of site designed by people whose business needs are met better by social login. Yes, it's not you, it's me. I am only hindering your growth. So fly away freely. Come back only if our true love was meant to be.
Segmentation is a good thing, so long as it's recognized as segmentation.
I would like a minimal identity provider, i.e. something like BrowserID where you can create throwaway identities that is not associated with any social presence.
I used to think that this was an ideal space for governments, or some semi-public organization. Identity as a societal service, much like running water and electricity and highways.
But then Snowden dropped by to tell us that we can trust our own governments even less than all these companies.
I agree. I think the creepy feeling comes from the potential threat to your private life... I know Facebook and the others are trying hard to make it clear what permissions are involved each time you sign-up but the fact that you have to check "ooh this one can access my friends list, I don't like that" is pretty unconfortable
> I know Facebook and the others are trying hard to make it clear what permissions are involved each time you sign-up
What they don't make clear is that Facebook is informed every time people visit (or in some cases, login in to) those other sites and can generate better profiles from that data, even sleep schedules, even for people who rarely use FB itself.
The thing is that in the absence of the likes of facebook you usually don't turn over your data and accounts. You just typically give them username: Somerubbish password: 123whatever and that's it.
No, I don't. I use a password manager. I promise I'm not being obtuse. That is what I do. I create an account, and add it to KeePass. Because I never know when I will need it later, even if I don't think I will.
I see apps trying to overcome this trust deficit by using phrases like. "We wont post anything on your feed" . "No posts. We promise". Even if it isn't a legal commitment, It might go a long way in convincing users. Especially if there is a brand involved.
Signing up via Google give me no creeps. The real annoying thing is that after you sign in with Google, when a website still wants you to "complete registration" by giving all the normal information you would have given at registration.
I guess for me, the reason why signing up via Google is not as creepy feeling inducing as Facebook is because Google gives you the option of putting on Google+ whether or not you sign in to a given website. The default is still to put it in your feed, but at least you can choose not to put it in your feed.
Also why should I connect some (possibly clingy and untrustworthy) site with my facebook account even if there is a fat chance that I use it for the fist and the last time?
Why would you sign into a site were that was possible? Maybe I'm strange but I don't create credentials (no facebook so that's not going to be used) on a site or for a service unless I've become sure that I'm going to use it.
If I have to sign in before I can see anything about it, I leave.
You seem like a soothsayer to me as you know beforehand if you will use some site regularly or not possibly even before accessing its functionality (which is applicable to many sites with login requirements).
No one likes registering for anything, that is pretty well known.
Getting users to do this though is part of my job and my job is often made easier either by auto-fill options in browsers and good form design.
URL based autho systems are pretty limited in their applications as anything on the other side would have to be of little importance. The security implications of such a system are massive...What if you need to log into an account and you use a work computer? Surely all someone needs to do is press ctrl-h(or access server logs) and visit the same url to gain access to your information.
People blame the third party app for being spammy, not nec facebook. I know I deleted apps in a rage if i saw one unexpected post on my feed. But i'm still a facebook user.
I wholeheartedly agree! At the time of the Adobe password leak, I was surprised to find that I had an account there. I'm not a heavy Adobe user, and certainly not a paying customer. So why did I have an account? I suspect I had to create one at some point simply to be able to download something for free. Requiring registration for something that's free is totally unnecessary. Now they had my password for something that didn't need one, and by leaking it, they leaked the password I also used on other sites that shouldn't need a password.
There's a popular Dutch site, datumprikker.nl (date picker) that works exactly like the author describes. No need for accounts; just a link and you fill in only the stuff that's actually necessary for the service to work. It's very popular for a reason: no hassle, easy to use, nobody has to register or sign up.
Just use mailcatch.com - you enter whatever@mailcatch.com as your e-mail, then check http://whatever.mailcatch.com/ to see your "inbox". Great stuff. Of course, this is only applicable if you don't care who uses the newly created account (because all such e-mail is public).
Website creators seem to not understand that when we register, we are giving them something of serious value - we are giving up our privacy. And I do not give that to strangers in exchange for nothing.
You don't necessarily lose privacy by making up a username and password for a site. You do lose some privacy if you use social sign-on or the site requires you to provide an email address that's verified.
My pet peeve is the arbitrary rules that sites now have for passwords. When I am registering for something I don't care much about just because I have to, my inclination is to use the same easy-to-remember password I always use. But the rules thwart this, and no two sites can agree on the same rules, thus forcing me to alter the password, and guaranteeing that I will not remember it.
Double that pet peeve with Yahoo Groups. No way to make an account without giving them your mobile number (fake number services/landline/Google Voice won't work.) Funny, do you really think Yahoo needs that info?
They could be trying to be helpful by using it for two-factor authentication or as a secure means of sending potentially sensitive information. The problem can happen when well-intentioned security advocates talk about how to increase security and Yahoo takes their advice at face value, without taking into account the needs of people who don't need or want increased security, but would benefit instead from decreased security.
"Could" but I don't think so. No land lines will work, which other 2FA providers support. Only mobile, which is almost as good as an SSN because of portable mobile numbers. 2FA is a crutch to get my mobile number. That, or the fact that every advertised workaround has been "broken" for several years straight in the Yahoo registration process is explained by Yahoo simply being inept.
It depends on the site; especially if I never wanted to register for it at all. It's their security I'm compromising. I don't particularly care if the account I made for some random product information website gets hijacked, that won't affect the important accounts which have different passwords.
I am amazed that you're downvoted, and so many replies are from people who don't think 2 steps ahead and who understand the consequences of their actions in aggregate! The compsci comprehension level around here appears to have gone down from competent programmer/tech savvy to...I don't want to say...
Let me explain to this viewpoint in more detail - I have a rather clear picture for the scenario where "one easy-to-remember password for large number of sites" is the proper action to take.
Thre are a lot of sites that want me to have "an account" so that I can do action X. That includes nearly all my passwords in my password manager. For every account that I want to be secure (say, my email) there are ten accounts that I don't want to have. If I want to do X, I don't want to have an account. "Having an account" is a cost - I have to remember the account's data (even the bit 'do I have an account on fancysite.com?' is a cost). If I have to have an account, I have no need for the account to be mine and mine only. If I have to have an account for me specifically, I have no need for it to be protected from others; but I do need to remember it easily - to avoid the inconvenience of creating a new account.
The site owners often make very different policies, for reasons that benefit them - but they are often opposite to the user needs. All the security problems related to the accounts are the fault of those people who required "an account" in the first place - the Adobe breach is a good example, none of those accounts shouldn't have existed in the first place; none of those people should have been asked their emails; none of those people should have been asked to choose a password. The stricter password requirements Adobe would have made - the worse that would harm the actually important accounts. The sole fact of Adobe asking large number of people for their email address and asking to 'choose a password' - that's a hostile attack that harms mass security on the internet (as the consequences of that breach); we should actively subvert such policies. If a site asks you for an identity more than actually needed (i.e., if they need to ship stuff then they need an address) or asks you for more authentification stuff (choosing passwords, security questions, etc) than you need, then that's [security-wise] hostile to you; if you like that site you can suffer through that but you should do the absolute minimum that fits their policies.
Ignoring client-side tools that hide the complexity, let's list some reasonable possibilities for user authentification for the actual accounts (where I explicitly don't care about others getting access to that account but I care about protecting other accounts) sorting them by ease of use (i.e., how I would like to 'log in' to the site), more preferred options first.
1. No identification or authentification at all. For many scenarios that's the optimum that we'd like to have, but it's prohibited by the site operators, so we're forced to go 'downwards'. #1 on ease of use; #1 on security (no risk to be a proxy for attacks on important accounts), #1 on privacy.
2. Arbitrary identification with no authentification - i.e., I pick a name/tag, and that gets used as a semi-unique handle. This allows semi-personalized communication (i.e., distinguish multiple commenters) or some persistence of data. For some scenarios, e.g., most of online commenting this is the optimal point. On some sites I'd want to 'build a reputation' by having a handle that's unique to me; but on most of them the hassle of remembering an account name is larger than this benefit, so I'd prefer to post with an unauthentificated pseudonym. This again is often prohibited, so we're forced to go 'downwards' or to not use such sites - all the next options are just drawbacks that users choose to take in order to gain access.
3. Authentification without identification - publicly available login data, such as the BugMeNot system. This attempts to go to the goal (#1) by sharing data, but again, those accounts often get prohibited by the operators, forcing us to worse measures further down the list.
4. Username/password - optimizing for ease of remembering. That would ideally be a single username and a single password for everything - i.e., the best password was no password (#3), the next best password is a single, simple, short password such as "password". Again, that doesn't work because [some] site owners have expressly prohibited it, so the next best option is a single, simple, semi-short password with a number of special characters such as "Tr0ub4dor&3" - so that it could actually be single and fit policies of a majority of sites. This approach sucks security-wise, as you note - however, the major security flaw for this is actually not the weakness of passwords, but the weakness of usernames - since the authentification doesn't matter for those sites, but this approach leaks and connects identities, which is bad on principle. However, without moving to things such as password managers which wouldn't work when you sit down on a random untrusted computer, I'm not aware of any better options that don't have this flaw; if there are multiple usernames/passwords, then something needs to remember them; and that something itself needs to be accessible with very easy-to-remember (and most likely completely insecure) settings.
5. "Classic" system of not-the-same IDs (to prevent linking them) and secure, periodically changed passwords that are unique for every site - that's not an option. For the large class of unimportant accounts, the total value of the account is less than the cost of that effort. The only way around this is by client-side systems such as password managers that can automate account creation and maintenance - so that while the "hidden" account is secure, the whole process from the user point of view behaves as one of the previous options. That is also a threat, since then (due to natural habits) people use those tools also for the important accounts, and that opens another source of vulnerabilities for them; in an ideal world I'd choose to have no authentification for the vast majority of places, and I'd be able to remember proper passwords (+2FA) for the couple things that actually matter.
"Too much trouble" is the whole point. The value of security for such accounts is approximately zero - if some solution doubles (or creates?) security but requires an extra click or two, then it's a bad tradeoff that simply shouldn't be done.
Why should people spend any effort at all to secure things that shouldn't be secured in the first place? Why should anyone remember a single bit of info or download an app or spend an extra keypress to protect an account that's already public in intent; but "private" because someone else wanted it to be private?
There are security problems if you use your 'throwaway' password for your primary email (as some of the people on Adobe list have done), but that's not the fault of the throwaway password, but in throwing away the keys to something valuable. That throwaway password should be something that's not a secret, as an equivalent to no password.
It should not even attempt to be protected - it's something that you tell your friends/colleagues openly (so that they'd not have to create their own accounts there, it's quicker to login with yours), post it publicly on the internet (again, bugmenot.com as an example), don't bother to change it years after some site has leaked it, etc. The password as such exists only because someone forces you to some tradeoff of "more security/less usability" - the only reason that the password is not, say, a 0-length string is that you're forced to do so, but there's no reason at all to go any further than the minimum.
For the majority of accounts that I have, the most appropriate level of authentification is not "a reasonable level", not "a minimum", but exactly zero.
I think new models and progress will have to be based on looking at the technologies available, such as cryptography and web protocols, and figuring out what are the best and most convenient systems you can assemble for various levels of security. For instance, a site can track your visits with a cookie, without your creating an account, as long as you use the same browser and the cookie doesn't expire. Cookies seem like almost enough for a lot of scenarios, except that you can't (currently) transfer them to a different browser and there's no standard way to distinguish the person that owns a cookie if multiple people use the same browser.
The value of security for such accounts is approximately zero
If I'm following your logic correctly, you might as well not go to the extra expense of vaccinating your kids, because the anti-vaxxers have already broken down herd immunity.
Even more valuable is that you are giving them access to you. They can now contact you whenever they want. I really detest sites that insist on registration in order for you to even work out what the heck it is they offer (eg access to SDKs, whitepapers etc behind registration).
You're not giving up your privacy by making an account and even if you did, it doesn't have a serious value. A few bucks tops, more likely a few cents.
This is definitely a solution to the registration problem; and metrics will probably back you up on conversion. However, a major drawback of this occurs while moving across multiple devices:
Peter (fictional archetype) might click through on his work computer; then go home, and might want to have another look at the site; however he won't have any recollection of his "personal URL", nor any way to access it. Peter will, at this point, perceive all his time investment going down the drain. He will either re-register (to be wacked on the head when he's back at work again), or refuse the site altogether.
Note this is different in Doodle's case, due to it's inherent sharing nature: people will email the link as part of the main process, so they're able to get back later.
One way to see how this affects user's lifecycle is measuring: 1, username only; 2, username + email; 3, username, email, password variants against eachother, across the entire user funnel: registration, main mechanics, retention (or length of lifecycle).
I think the combining the "no registration at all" with an optional "send me the link via email" is really nice.
Actually of the 5000 people who have "registered", more than half have given their email address... probably means people like optional stuff, I know I do.
Do you then store the email address after having sent the link to the user? Because I don't think people view it as "giving their email address", but more like "send me the link and forget that you ever saw my email address".
Storing emails would be a convenient way to send the link if the user did not send it from the registration page or lost it in the meantime. As a user I would love seeing this kind of identification and would probably set a email account only used to recover links and avoid sharing my main email account.
I think that your exception for Doodle's case is also applicable to this use case and many more: if you're creating a predict-a-score league with your friends, you're going to have to share it immediately.
I solved this problem (at http://tab.bz) by creating a fake account with a dummy username/password when a user first interacts with the site. All of the user's work is saved to that account, so they're free to do anything they like. When they "Register" we just change the email and password
An unguessable ID that designates some resource is called a (crypto) capability.
Capabilities are quite different from access control lists (ACLs). In an ACL system, the list of authorized principals is attached to the resource. Thus, sharing access to a resource requires updating the resource. For instance, if Alice creates a document and wants to share it with Bob, then Bob needs an account and Alice needs to add Bob to the document's ACL. In a capability system, the capabilities designate the resource and sharing the resource is as simple as copying the capability. In fact, Bob can also share the document (without copying it first) with Carol. In an ACL system, Bob would not typically have permission to update the ACL.
I've been hacking away at a hobby project in my spare time that implements this method. You can password protect the page, if you want, but by default the unique ID is publicly accessible. The easiest way to password protect it? Use your email address as the "password." It's also easy to create forks/snapshots using this method. If somebody makes a change that they don't like, or wish to test something themselves and not have their "default" page get crowded then they can share/revert to their one "master" ID, and use their other ID until it's ready. My use case is fairly specific (simple server monitoring tool), but sometimes there are better ways of doing things than the default go-to solution.
>The easiest way to password protect it? Use your email address as the "password."
yeah that would be cool. You open YOUR page and it asks for your email id. So you need to know the username (assuming that's what u make url from) and the email id. Simle two factor auth without annoying sign ups
I'm not sure I'd call that two factor authentication. Sure, there are two unknown elements - effectively, username and password - but I'm pretty sure the intent of two-factor authentication goes a bit further than that.
No, what this article states is that the author hates to register, and for their particular app, not registering may have made a difference in its adoption rate. That doesn't say much about the implications of registration for your business.
I recently launched an app that requires Facebook registration. I expected it to be a disaster, but a necessary evil for our first pass. I was shocked to find a conversion rate from opening the app to logging in of 95%; it's not hurting us nearly as badly as I anticipated. Measure!
Isn't his for a website? Is yours a mobile app? I'm guessing that since the user has already committed to downloading the app, and probably has FB clients on their phone it's easy for them to use FB oauth (since it's actually quite nice how that is haandled), they probably just want to use the app and are happy to sign in with FB.
Neither myself or the author presented a controlled study; they are both individualized experiences that may or may not be relevant to one's own project. I'm simply trying to say that the OP isn't gospel. That said, for the forcefulness of the headline, I would've expected much more data.
Social sign-in filters can be used to qualify customers.
That's basic market segmentation. Don't take it personally, but some companies don't want you as a customer. There are lots that don't want me either, if it's any consolation and you need consoling.
I don't really hate sites that require registration unnecessarily, because, well, I usually don't register, and until reading the article I always thought it was some combination of the bother of password management and a dislike for being tracked, I mean you know, if I didn't care about being tracked I'd just let my browser keep phoning home to the 1000's of tracking companies, and stay logged into Facebook and Gplus and hell I'd stay on Windows and use consumer grade AntiVirus software and the Ask toolbar that Adobe and Oracle like to install as default by default. Not caring should mean not caring, dammit.
But as I read the article I realized that it's really something else.
Requiring a user name and email means a trip to Epcot. It ain't Europe. There are hyperlinks and pages and it looks like the internet. But it isn't. The links will all be part of a sitemap. Registering is symptomatic of crabtraps: once in, the only way out is back the way I came in and usually what's in the middle is pretty much a three day old fish head, which isn't too bad if one is a crab, I imagine, but a fishhead in a cage is still pretty much a fishhead in a cage compared to the entire fucking ocean...even to a crabby bastard like me.
I'm the first to admit that there are a lot more smart people in the world than I tend to imagine, but the odds that I want to spend time in someone's crabtrap for a few bytes of the someone's idea of the best fishhead ever are pretty low. I mean if I'm that bored, there's YouTube and HN and Facebook and Twitter. And one of them doesn't even require me to register...at least not yet.
Don't get me wrong, you probably don't want me as a customer anyway - requiring registration makes sense by filtering out people who might be harder to track. It's the strategy successfully used by Nigerian princes.
We need to keep in mind that we are the old generation: We all have more than 10 years Internet experience and we know how many times Facebook has betrayed us.
Now we should ask the younger generation and people with non-IT jobs what they think about logging in through a social network. Perhaps it's just another noise like managing URLs and Adobe updates.
Indeed, for them it's probably just a click, they already have no expectation of privacy on the Web. I'd really like to see numbers for various registration methods (where several are available), as well as age distribution for each.
I think we should be asking the older generation why the proposed SSO/Digital Identity solutions from a decade ago never got traction. OAuth is the only thing from back then that got anywhere, and it's been stripped of its identity management components and reduced to single sign-on.
It would be very cool if browsers had an "auto-register" feature, where you give the browser your information (name, nickname, email) and it automatically fills registration forms when it encounters e.g. an META tag in the page header.
One part already exists - the new html5 input type="foo" classes which COULD be used if sites would actually USE them. The other part is the password manager - it would need some rework to generate truly random passwords. Oh, and if the email confirmation messages could be standardized, too, then the mailclient could automatically confirm the mail.
edit: dear website owners, please allow facebook, twitter or any OpenID based flow, no matter how much you dislike these services. I hate nothing more than the tedious crap of filling out differently laid out forms, captchas and email confirmations.
I work on websites in drupal and so I've both given thought to this problem and seen how the process works from the inside. The problem with random passwords is that they are impossible to remember, so you have to have your password file with you all the time if you want to be able to access those sites from another computer.
The lack of a standardized registration form is not likely to change as long as sites manage their own accounts. However, perhaps there is some way that accounts and registration could be outsourced to a third party. It would have to be a company, or perhaps some not-for-profit entity, that did account management as their only business, so that they weren't just trying to use it as a vehicle to advertise their other business or sell your data, like Facebook. If it was simple, streamlined, and effective for both site owner and user, it could become a de facto standard.
There were a lot of solutions to this in the early 2000s, the golden age of the digital identity ecosystem. I did my bachelor's thesis on the issues faced by a solution that respected Cameron's Laws of Identity in 2003, shortly before the whole scene died off.
There were simple, streamlined solutions for this a decade ago. Nobody used them and many of them died. Some still exist out there like zombies. I was shocked to see inames.net is still out there.
The example I usually bring up is Windows CardSpaces, which shipped with Windows as recently as Windows 7. It was easy for people to get conceptually. It was easy for site admins to implement. But it never went anywhere.
When I talked to people about identity solutions like this, there were problems on both ends. From the user side, an identity solution needed to solve an obvious problem and/or be easier than the status quo. For many users, the status quo is to give out personal information freely and use the same username/password everywhere. Anything that adds choices or variety to the process is too much friction for little perceived benefit. Even if the actual process is simpler (clicking a card) than the status quo (filling out a form), there's a mental cost in adapting to something new.
For site owners, there was the added difficulty of educating and supporting users about the new identity solutions. But, the real biggie was that they'd lose the ability to collect & sell all that personal data. That can be more profitable than advertising, and it's a revenue stream some sites can't live without.
Well, the solutions offered then have failed, but did they systematically rule out all possible technologies and business models? One problem is username and password proliferation. Another is filling out the same information over and over, like phone number, email address, and so on. E-commerce sites will often not bother checking email addresses and not require accounts because unnecessary obstacles drive potential customers away.
I don't have a preconceived idea of what a 3rd-party account system should do. It could be anywhere from the least amount that would get a webmaster to install it up to a full username and password. Somewhere in there must be something better than the status quo.
> Well, the solutions offered then have failed, but did they systematically rule out all possible technologies and business models?
Of course not. In fact, business models were only considered tangentially in most cases because the general goal was to create an ecosystem of federated identity providers transacting over open protocols. Differentiation would come from the relationship between customers and their providers - charging for background checks to add extra confidence to third-party claims, for example. Or, by selling enterprises more secure identity claim brokers for their employees.
> One problem is username and password proliferation. Another is filling out the same information over and over, like phone number, email address, and so on. E-commerce sites will often not bother checking email addresses and not require accounts because unnecessary obstacles drive potential customers away.
I'd love to see the Digital Identity discussion revived, and between high-profile security breaches (Adobe, Target...) and the NSA, I think it might be time.
I know you don't have or necessarily want a preconceived idea of what a 3rd-party account/identity provider should be, but I encourage you to look at what's been done & discussed before.
Dick Hardt's keynote from the 2006 Identity 2.0 conference is entertaining and informative: https://www.youtube.com/watch?v=RrpajcAgR1E - it's also the talk that got me hooked on Vanilla Stoli for a couple of years.
Kim Cameron's "Laws of Identity" were the cornerstone of the discussion back them. They outline a system of federation, user control & consent, and minimal disclosure. Cameron's site also has lot of information about CardSpace/InfoCards (the open standard) and his blog covers some more modern Identity systems from Microsoft: http://www.identityblog.com/stories/2004/12/09/thelaws.html
I guess it would also be good to look at tools like 1Password which can fill out registration forms and passwords already, and see why they haven't been adopted more widely.
I plan to check those links out. Thanks. The web has every kind of site, covering every possible use case and degree of need for security, so I think there's a good chance that useful models are still out there waiting to be given a try.
The easy solution is to use https://lastpass.com/ Even if for some reason you don't trust it for your most critical passwords, you can use it to fill in details and generate a password for random sites.
Don't trust that company with your data, trust this one instead!
This is never the solution. The solution is to abstain from services which need your data, and which don't give you the source code of the software so that you can verify whether or not it does what they say it does.
I've heard of Lastpass, but, as far as I know, it only solves one problem, namely giving users a place to keep a password list that can be accessed through the web.
There are a number of ways to use it. Three of them are:
- Saving your username and password and then filling in the details when you visit the site.
- Keeping secure notes for things like security questions (or anything else you want)
- Filling in information on registration forms.
Encryption and decryption take place on your computer. The only thing that goes to LastPass is the encrypted information. They have no way to see what you're storing on their servers. That's why you're out of luck if you lose your password.
The biggest advantage to me is that I want to generate unique passwords like %T124_tatWE4%%^&Tx-234rq for each registration, but there's no way I could possibly remember them, so I'd be forced to carry a written copy everywhere. That's not very secure so I reuse semi-safe passwords instead. With LastPass I generate a unique 16-character password and never have to remember it.
The proper solution would be just like you describe but without the part where you give the browser your information - the browser can remember more than you do, and it can create usernames that are random and thus unrelated between different sites; it can create proper single-purpose email addresses - again, not giving the site any ability to spam you but not a throwaway as if you really need an email from them, then that address is accessible.
I.e., solve the 'identity problem' by removing the identity core; your client software should be able to create fake identities for you on the go, and preferably with less than one click - automatically without prompting.
That's a lovely idea - I rather like the idea of a standard for "one touch registration" that would:
- Give the site a username (and negotiate a new one if my preferences are already taken)
- Generate a password and store it somewhere sensible
- Generate a unique email address and pass it to the site
- Handle the email confirmation
My initial reaction was, of course, why would sites ever support such a thing (they don't get real names or real email addresses)? But then I realized that could be a great way for a site to prove to me that they have absolutely no intention of handing my details to other people - so it might work as a way of identifying sites that have honorable intentions.
You give a site your user name and password via a form. Your browser converts these into a http request to a link via parameters. The site sends you your account page, or makes you try again if you fluffed it.
Isn't this the equivalent of giving somebody private URL, like in the article? It's essentially the same, functionally, as a password you remember. Except passwords are less secure, as people use the same ones repeatedly, or generate them from a simple system repeatedly (less vulnerable to automated password guessing attempts, but as vulnerable to a dedicated human attacker).
Are their web frameworks that let you determine if a user is genuine by their behaviour as much as their passwords? E.g. if I usually log in from the US, why am I suddenly logging in from Russia, less than a half-hour since I logged in via the US?
I was burned by something like that just yesterday. I've never used my mobile to log onto my email before, but after taking a 4hr trip and expecting an email, I tried and found myself locked out. This despite having the correct password, but it ran me through 'secret questions' which I filled out with gibberish about 20 years ago because I correctly believed they were a security risk.
>>Isn't this the equivalent of giving somebody private URL, like in the article? It's essentially the same, functionally, as a password you remember. Except passwords are less secure, as people use the same ones repeatedly, or generate them from a simple system repeatedly (less vulnerable to automated password guessing attempts, but as vulnerable to a dedicated human attacker).
Sort of, but not exactly. Login forms, when correctly submitted, usually set a session cookie in the browser. Cookies are sent back to the server with later requests, so you could think of the cookie as if it was part of the URL. Every time you log in, though, you get a cookie with different data inside. That's different from a private URL, because the private URL would always remain the same once it has been assigned.
If the private URLs are generated by a secure random number generator, then they could potentially be more secure than passwords are. Being secure and hard to guess also makes them long and difficult to remember; and that's why passwords are used far more often than random private links. Passwords are meant to be possible for a person to remember and type. Also, passwords are possible to change, so if your password is compromised, you can keep your account and just change the password.
>>Are their web frameworks that let you determine if a user is genuine by their behaviour as much as their passwords? E.g. if I usually log in from the US, why am I suddenly logging in from Russia, less than a half-hour since I logged in via the US?
I'm not sure if there are frameworks for that, but I know that some companies have implemented similar kinds of things. Bank of America's website that allows you to access your account data adds a few extra features that add security to the standard username/password combo.
> But when you submit your user/pass and are logged in, a cookie is set on your browser, and then a private link with your page is sent back to you.
Not necessarily. Usually either the link is public (i.e. the same for everyone) and the session ID is in the cookie, or the session ID is in the URL (considered unsafe). This is the default behaviour of various Java application servers when cookies are disabled, for example (a jsessionid=... paramter is added to the URL). The "unique private URL" concept is then functionally equivalent to session IDs in the URL with sessions that never expire.
Here is a thought that I've been playing with over the previous weeks, but I'm not sure if it's viable. What if instead of making a website, you created an entirely mobile application? My theory is that you could eliminate the need for creating accounts since most people only usually use one device. You can still have all of the mechanics for inviting and creating teams, because that would be native to the system. All you would need to do is store a UUID for each user.
There are a few drawbacks to this approach such as a user losing their device. Essentially all of their history would be lost with it unless you used something like CloudKit to back the users info up. The problem with an API like CloudKit is that it isn't cross platform (yet). A user with multiple devices could join the same game, but I don't see how that would stop users with multiple emails from accomplishing the same thing.
Just something I was thinking about, but I do agree with not creating more accounts. There needs to be a more elegant solution.
I hate to register on sites but I often do. This is because if I expect the trade off between the pain of registration against the value I expect to get from continuing to use the full functionality to be positive then I sign up.
My pain from registration is largely due to the friction from having to think up a unique username (I hate when my favorite username is already taken) and making up a password.
I am really not bothered by receiving email from services as most respectable sites will unsubscribe you with one click and if they don't I simply mark their email as spam.
I never sign up with social services (GooFaceTwit) due to my irrational fear that at some point my activity on the site will be made public without my consent.
Your takeaway as a product owner I think is that if you are building a service for technical folks (would your typical user hang out on HN? If so, read on. If not, ymmv), you should really think about if your service truly needs user registration (I have seen some creative workarounds that don't impose a burden on the customer and still allow the product to achieve business objectives). If you do need registration, you should remove as many impediments as you can (meaningful engagement prior to registration, email as username, only ask for information you absolutely need to have, stagger your profile updates within the user lifecycle, etc).
Personally, I would like to see a structural solution to the registration problem. This is such a common issue for a significant portion of the web that it should be solved at the browser level. Why is there not a "Register for this site" button on the browser chrome? The user signs into their browser and from then on can simply create an account on any site by clicking the button. A little drop down or tooltip can show what information they need to share to successfully register so the user is making an informed choice.
I shouldn't need to enter a user name password combo on any website ever again and the entire process should be as easy as hitting the back button.
I've seen this idea before, and I really do like it. However, I managed to close my window (had incognito mode), and now I will never be able to retrieve my predictions. No big deal perhaps – but still annoying.
Name: afdssdf email: fsdass@dfafd.com password:fsdssd
How many times have I filled forms out like that? Probably over 10,000. I also use my fake facebook account almost as much as my real one.
No, those are just random. If I find I actually want an account, I'll log-out and sign up with a real e-mail/password. (It's very rare.)
Most sites that require e-mail I will just leave an never come back. If it looks SUPER useful or amazing I'll go to the trouble of getting a disposable e-mail account.
Ok you're right, but on the other hand if I, a vivid user of the browser didn't think about searching the browser history for that, other people will neither.
The author is right in that I do not want to sign up with Facebook, Twitter, Github, Google+ or any other SSO SPOF.
He is wrong in that "Nooooo people do not want to create an account either". If there is a reason to register, I am perfectly happy creating an account with a self-invented password and email validation, even if it's to do only so much as post a few comments under the same name somewhere.
Spot on. I like the method he used - simple on the code end of things, simple for the end-user. I think simplicity is a proxy for success.
I think the only reasonable time to require someone's email (or other contact information) is when sending emails delivers real value to your users - when there is no other way to accomplish what you need to, except by sending email.
We run a Price comparison site for nutrition products. The main reason we have a "registration" process is so that you can sign up for price drop alerts on your favorite brands, products, categories, and our hot deals we find.
So, since these users want to receive emails from us, the system proposed simply won't work.
We've spent a fair amount of time refining our process, and still have ways to go, but this is the current process:
1. User is not logged in, wants to get a price alert on their favorite protein. They click the button.
2. A modal popup comes in, only asking for their email.
3. They're now logged in, and the alert is saved (but not activated). They're told to check their email.
4. We send an activation email via Mandrill.
5. They activate, when entails entering a password and their (optional) full name, and all price alerts are now active for them.
6. After they activate, we send them on over to a welcome page, showing them where they can see their settings.
This process is as simple as we can make it. The only thing I want to change is some of the verbage in #4. Right now it's a blanket Confirmation email, but doesn't mention the product they want to follow.
Our userbase is all over the map in terms of gmail, facebook, and twitter. I don't trust any of those. So this is our best thing. See my profile if you want to test it out.
Why have a password and full name or the whole UI shebang around logins? Save their email in a cookie, then only send a confirmation email for the first alert. Prepopulate the alert sign up with the mail from their cookie.
But what about when they come from another browser or on mobile?
Most people will check their email from their mobile devices. Could be a different browser than where they started, so now they have no easy way of removing the alert, (unless we generate new codes for that in every email?)
I might miss something, but why is a password and account management page required for sending out email alerts?
I imagine it is because the logged user can simply check boxes to enable alerts on a specific product rather than inputing his email adress once again but the hassle is minimal with autofill.
You are correct. As well as unchecking alerts in the settings.
It seems that the solution to having a username/password is to make everything run from links via those emails, after they've confirmed. This may be worth exploring.
I was shopping for high-speed internet yesterday. Comcast's website refused to share any details about their internet options' prices or bandwidths until I registered an account. I guess when you are a near monopoly like Comcast, price comparison is not something your customers need to worry themselves about..
I found the discussion about registration so inspiring, that I wanted to throw in a different approach that I outlined in an own blog post and posted as different thread.
I am using a CRM as our main website. It has a small "Register" link in the corner which I was unable to remove until now due to my poor html/css knowledge. It doesn't have any functionality. Still we have around 3 new user every day :)
Here in the UK I played a game on the CBeebies website with my daughter (age 7). It wanted her to sign up for an account with an email address and details so that she could save her progress.
She just plays from the beginning restarting each time and picking a different path through the game.
This is what cookies were invented for. It could easily save her progress in a persistent cookie with no need to sign up.
(Signing up might still be an optional way of persisting that state beyond the cookie, for example to share progress between cookies, but that could easily come later and only when the user wants it)
This is a good way to piss off your marketing department. Unfortunately sometimes UX has to take a hit in the name of the bottom line. Email/direct marketing works. It won't deliver value to every user on every contact, but even 5% response rates can offer ROI.
The most obnoxious offenders are job sites for specific companies. You need to create an account that you will use probably a handful of times. To make it worse they all use something like Taleo but for some reason can't share logins.
Ah, I see, we are an online school. You can browse the courses, and some course materials for free, but if you want to take them and get credit you need to pay.
Why not just provide a link to the product on the last page in the process? This could even be a link that automatically stopped working after it was used a few times. Harvesting email addresses is definitely not the only way to solve this problem, so it seems unfriendly to allow only that method.
For many use cases this would not be required. We have an online school. How would you solve being an online school without the ability to contact your students by email?
I doubt we'll ever get within range of this particular goalpost, but it's certainly possible to handle communication within an app. If requiring emails doesn't bug your customers, congratulations! Your "...the email address is so..." remark invited skepticism.
We actually handle most of the communication (messages/forums) in the app, still email more efficient for some students. And in general if I've paid hundreds of dollars for a SaaS product I might be a little suspicious if I was never asked for my email address.
I was one of the users who went to your website the first time it was posted, saw that you had to register to see anything at all, and left. +1 for the changes!
Funnily enough, a lot of Bitcoin gambling sites like just-dice.com, also operate on an URL-based account system. It is really minimal barrier to gamble.
I sent a message via the contact form (not via email) pointing some spelling mistakes in the French translations, but it was not taken into account for the moment ;-)
Ok except that "Brézil" is incorrect, it's "Brésil" or "Brazil" if you want to keep it international. There are still typos on the league page "Voir ses pronotics" is missing a "s" for example.
But as I said in the message the site is usable so I don't really care that much, it's just some polishing that would make it greater.
> I know I'm going to need to come up with some password.
I agree with the premise, but you shouldn't come up with passwords when you register. You should use a password manager that generates a unique password for every site you use.
Now, this obviously wouldn't work for most types of bank or email security, but for casual forums and things, I really like the way that Bret Victor presented the trip phrase concept.
I feel like Facebook screwed this up for everyone when people's feeds were covered with apps their friends were using. Now when a site asks you to authorize it with facebook, users don't feel like they can trust what it's going to do.