To the end user, sign in with Facebook has at least three drawbacks. When you navigate to a page on the internet that requires a login, Sign in with Facebook (or Google, Twitter, et al) is probably more secure than each website writing their own login process, hashing passwords, and writing a bunch of code associated with password resets, not to mention storing your private information in a database that will someday get hacked. Websites want you to login so you can spend your money on goods or services or do something else they can monetize, so developers and product managers have these choices:
- Each user must register, enter a secure password, confirm their email, give their phone and mailing address, and confess not to be a robot. Doing all of this takes away time from what a website wants you to actually do, spend your money or time.
- By leveraging Sign in with Facebook, the website gets access to all of the above and you get to sign in pretty painlessly.
Win, win? Not so fast.
I probably sign into no less than 50 websites every day – for work, personal projects, or pleasure. To help me organize, secure, and fast-fill username and passwords for these websites, I use a password manager. If you’re not familiar with password managers, they’re a secure service that stores usernames, passwords, payment information and more – and they place icons on login screens that allow these fields to quickly be auto-populated. Password managers also allow the user to configure password generation complexity and generate a new password for websites easily. For me, every single website or application I log into has a unique, lengthy and complex password. But I am not Joe AverageUser.
Joe AverageUser signed up for a book of the month club at BarnesAndNoble.com in December using his Yahoo email address. According to the Pew Research Center, he probably (gasp!) wrote my password down on a piece of paper.
Many months go by and he doesn’t bother checking the website again. Several months later he remembers he needs to cancel his Book of the Month club or it will auto-renew and charge his credit card again. He Googles Barnes and Noble, goes to the website, and sees this:
Joe doesn’t recall his password anymore and has lost the piece of paper he used to write his password down. He’s in a a rush so he selects Sign in with Facebook. After he authenticates, he see there’s no Book of the Month subscription on this account, and finally remember that he used my email address, probably his Gmail address. He signs out and Signs in with Google with a similar result, no Book of the Month – so he logs back out, goes to the forgot password page, and enters his email. Then he goes to yahoo.com and log into his email, retrieves the email, clicks the link to reset his password and enters a new password (it’s probably the same password Joe uses for everything). Finally he’s logged in and can cancel his subscription. As a bonus, Barnes and Noble now thinks Joe is three customers, they send him email promos to his Yahoo, Gmail, and Facebook account. If (when) Barnes and Noble gets hacked and his password is leaked, then there’s a good chance that 1 or all 3 of his account passwords will be leaked.
To recap, sign in with Facebook has three primary drawbacks for the end user:
- Causes user confusion
- Results in creation of multiple accounts for a single user
- Increases the potential for user passwords being leaked
I don’t think this form of authentication is going away, and I don’t think it’s necessarily a bad thing – but I do believe that websites and applications have responsibility to users to keep their data secure and to make their user experience as easy as possible.