by ryanfitz on 10/2/12, 5:43 PM with 109 comments
by mnicole on 10/2/12, 7:14 PM
Also, regarding the CEO's email and the confusion of so many options on the homepage, that's merely a design issue. Those buttons don't need to take up so much room or be so bold. They could simply be links with tiny corresponding icons underneath the default login form. Taking those options away would be a detriment to both current users of those methods and future users who prefer the quick registration process it provides.
The argument thereafter that these logins could easily dissipate and are therefore unreliable is solved the same way SoundCloud does it; allow the user to set a username and password separate from their social networking account in their settings. The only problem with the SoundCloud method, at least at the time I did it, was that in order for it to activate, you had to reset your password. As far as the security point is concerned, that's a risk the user takes and another benefit to having both site-specific credentials and the social media tie-in.
by robomartin on 10/3/12, 12:58 AM
What do I mean by this? The other day we were watching TV and a Charmin ad comes in. At the end of the ad they actually say "go to facebook.com/charmin"
What? They have a perfectly good and highly recognizable brand. And, they happen to have a great URL: charmin.com. Why send traffic to Facebook and diminish or even completely fail to promote your own bran?
OK, the other question might be: Who is visiting a Facebook page for toilet paper. The point is that I've seen this many, many times from all kinds of companies.
Maybe someone can explain? Maybe this is just sheep following sheep off the cliff?
by codinghorror on 10/2/12, 6:55 PM
Personally I'd much rather log in with Google in this case, which means there would need to be three buttons: Twitter, Facebook, and Google. I'm sympathetic to the "nascar-ization" argument, but I also believe your customers are smart enough to process at least as many options as there are in their wallet for providing identity.
Perhaps the best solution is even more minimal: no login options at all! Let the browser auto-generate credentials and a unique password on your behalf, then automatically use that to log you in every time it sees that website.
http://www.codinghorror.com/blog/2011/09/cutting-the-gordian...
by matthewowen on 10/2/12, 9:28 PM
Test your changes independently, and make incremental changes
They thought social buttons improved login success. They didn't. An unconnected copy change improved login success. If you test these things independently, you'll get much better insight into what makes a difference.
by lifeisstillgood on 10/2/12, 10:28 PM
* I want to use email as username
* limit the number of possible ways to login (no NASCAR)
* I want to keep personal and business logins seperate
* don't slap competitor logos all over my pages (CEO quite right there)
this however all begs the question how do I move accounts to a new login?
Few sites (stackoverflow is a shining exception) allow you to associate more than one login with one account. And fewer give different settings by login (admin, power user etc)
we have been lulled by oauth and openid into thinking we have just to authenticate me, rather than authorise a role - and few sites have concepts ofanything other than one role == one set of privileges == one login.
There is a reckoning coming - it is when these sites need to provide fine grained control, as businesses run on them full time, we shall discover why ACLs exist, and what chmod is for. It's going to be painful. But then it's better for mailchimp to take the pain in a couple of years than not be there at all
now go install persona. And allow me to associate more than one login with one account
by mkjones on 10/3/12, 5:11 AM
"Social login buttons put security in someone else’s hands" You're damn right they do! I argue that in 99.9% of cases that's a great thing, for 3 reasons:
1. Facebook invests significant resources in both keeping bad guys out (we have been able to dramatically reduce large-scale phishing with a number of updates to our login security systems) and ensuring everyone else can get into their accounts easily. I can only speak for us, but I assume Twitter spends a lot of time on this as well. I imagine it'd be tough for a startup to keep up with the 10-20 people we have working on this problem at any given time.
2. It's incredibly difficult to build a password system that is both easy to use and secure. There's an almost endless ever changing list to make sure you're hashing and salting properly, don't have SQL injection flaws, implement robust rate-limiting without allowing DoS, etc. We've all seen many people screw it up in recent years. One of the largest benefits of Facebook Connect for startups is the ability to leverage our investment in these systems, without having to invest the significant time we have spent iterating on them.
3. We've spent a lot of time working on every aspect of login, so that startups don't have to. Your job is to build whatever technology differentiates you from your competitors, and make it worlds better than theirs. Any time you spend pfutzing with password hashing, building a better password recovery flow, or arguing about how to fail when people type in the wrong password is time you could better spend making a truly wonderful product. Unless you're trying to build a startup that helps people login, any time spent on this is better spent elsewhere.
by cowboyhero on 10/2/12, 7:56 PM
This'll date me, but I'm still amazed that so many companies eagerly slap other company's logos on everything they do. Even if it's just a blog post.
This page is a case in point: Facebook's brand appears four times. Twitter's appears a dozen times (more because of the comments). Mailchimp? Just once.
by stephengillie on 10/2/12, 9:20 PM
Mailchimp found that clarifying login error messages reduced login failures by 66%!!
The rest of the story is a coincidental tale about the CEO trying to pull a "Jobs" by thinking he knew what his customers wanted better than they did. The social media buttons only had an effect on 3.4% of their users, a small group compared to the reduction in failed logins. By making the social login buttons the main point of their blog article, they hide this valuable tidbit.
by BryanB55 on 10/2/12, 8:44 PM
by netmau5 on 10/2/12, 9:36 PM
On one of my previous projects, Twitter was the only allowed login method. After some complaints, we implemented an email-based login and reduced the bounce rate by over 50%.
Another anecdote: whenever my Asana session expires, I always struggle to remember which Google account I registered with or if I used email. The worst part of their flow is that if you're wrong, a new account is created and you login to a blank slate. It takes forever to find the log out button to try again too.
by Tipzntrix on 10/2/12, 6:11 PM
by vampirical on 10/3/12, 2:09 AM
Alright so this security hole already existed in their system elsewhere. After raising the issue that this type of message leaks data, which is a completely valid concern, they dropped it because they were already leaking that data elsewhere? It isn't like email based account reset/reminder forms have to leak the existence of an email within the system, a fact they just gloss right over.
For a system that stores quite a lot of very sensitive data it is surprising to see them knowingly keep such a hole open. I understand the desire to smooth out the user experience but this honestly seems more driven by the desire to not field customer support requests for what feels like a "stupid issue".
I'm not currently a MailChimp customer but I used to be and before reading this I would have chosen to use them again if the need was there. Please don't compromise the security of customers for convenience.
by propercoil on 10/2/12, 10:58 PM
I'm amazed by everything that they do. Elegant api and ux that "you get" from the get-go. It is a huge problem to solve and i'm now engaging with 1100 subscribers.
Now i want to pay ($30/m) but they don't accept paypal - the service i use to pay for everything since i'm a digital vendor. There are companies in the U.S that don't understand that alot of foreigners do business solely with paypal. There are those who dig it though(Elance, Envato, Odesk)
mailchimp take the leap! eeee
by catshirt on 10/3/12, 12:25 AM
1. they added the social buttons late in the game, and are surprised about 4% of users are using the social buttons. what if that 4% was compromised entirely of users who registered since you added the buttons? that would be a totally different ballgame.
2. the problem they were trying to solve was login errors. that's not the problem facebook and twitter sign in solve. therefor it seems fallacious to say "they aren't worth it" when you're not even considering the standard use case.
by bunderbunder on 10/2/12, 7:25 PM
Because it's one less !$@%!@$! password to remember. Or it's one less $@&%!@$ hassle adapting my password creation formula to a new site's password requirements. Or it's one less place where my don't-care-use-it-everywhere username/password key is stored, perhaps @$2(! in the clear. Or perhaps it's just one less time I have to type in a @$@(%^! username and password. Or @*($&%! create one.
by adrianhoward on 10/3/12, 8:55 AM
"Is it worth it? Nope, it’s not to us." (my emphasis)
Not all businesses are the same. B2B businesses like MailChimp usually don't see major increases in value through third party auth. They're providing serious value. People will go to the effort regardless.
With a casual use B2C site removing even the tiniest piece of friction in the login process can mean the difference between a purchase and people just going away.
It depends. This is why we test shit :-)
(Also - unrelated to this - is that the "login" bit is often not where the biggest win for third-part auth is. It's in reducing friction in registration. I've seen high single digit percentage improvements in abandonment of registration for some B2C sites due to getting profile info from twitter/linkedin/etc. cutting the time it takes to setup accounts fully. Lifetime value also increased since profile info was generally better from those sources which was an important part of users getting value out of the system, and so the business getting value out of those users).
[edit: also - they seem to be looking at total numbers, rather than doing any kind of cohort analysis on the folk using twitter/facebook/whatever... which may well lead to different conclusions]
by badclient on 10/3/12, 12:21 AM
This is one reason I am extremely pissed at instagram. Instagram as a product gives you a sense of privacy because it provides very limited ways to access your photos. You can't just goto instagram.com, login and begin browsing. On the other hand, few people realize that your instagram pictures are public by default and there are dozens of sites which using instagram's API(I'm guessing) are republishing our photos without even your knowledge.
by taylonr on 10/3/12, 2:00 AM
2. Having both social & native logon.
You could actually solve both by either 1. Only using native logon. or 2. Picking one (maybe 2) social logins.
I went with #2. Granted it was on a small test site, but the trade off of managing customer logins sucks. I'd rather have google get busted for getting hacked than for my little SQL DB getting attacked.
The way I look at it, I have time to write code and secure it to the best of my ability. However, Google and other social logins have whole teams that can manage security and keep up to date with the latest technology etc.
So there is more to social logins than the actual act of logging in. And some of the problems listed aren't really with social logins, but rather with a particular implementation.
by tylermenezes on 10/3/12, 6:26 AM
Obviously a business-focused company is going to have less people logging in with Facebook than a consumer-focused company.
People shouldn't write generalizing blog posts unless they have some understanding of proper experimental design.
by tsurantino on 10/3/12, 4:06 AM
I think the simple value for social login is context. There's an obvious overuse case and a useful use case.
by tolmasky on 10/2/12, 11:59 PM
by drelihan on 10/2/12, 8:11 PM
by steeleduncan on 10/3/12, 4:59 AM
Online companies are largely valued by the size of their userbase and by working to build Fb or twitter's userbase rather than your own, you are sacrificing the value you add to your own company for the sake of the social network that a user signs in with.
by gingerlime on 10/3/12, 8:01 AM
I think the article dismisses one huge benefit to federated logins:
* ease of use for users - instead of choosing a username, entering all the customer information, verifying the email address etc, choosing a password, you can sign in with one or two clicks.
by shizzy0 on 10/3/12, 7:46 PM
by latchkey on 10/2/12, 8:09 PM
by geerlingguy on 10/2/12, 9:44 PM
by Zelphyr on 10/2/12, 10:19 PM
ONLY being able to use them to log in somewhere else is obviously a reason to never sign up with that "somewhere else" site altogether.
by sologoub on 10/2/12, 9:18 PM
If you have a catch-all error message, it's much harder to guess the username/password combo.
by pbreit on 10/3/12, 5:27 PM
by cookingrobot on 10/2/12, 9:14 PM
We run a service that makes it simple to add Email&Password style login, or Social login to your site: http://www.dailycred.com
[1] http://dailycred.tumblr.com/post/30602034530/surprise-people...
by rsobers on 10/2/12, 7:02 PM
by vseloved on 10/3/12, 5:11 AM
by inthewoods on 10/3/12, 12:44 PM
by nnash on 10/3/12, 2:37 AM
