Neem contact op: (+31) (0)6 521 599 29   Mail Ons

Mitigating the Risks of Social Login

Geplaatst op dec 3, 2013 in News

Should we let our users create accounts entirely through Facebook?

That’s the question our team asked last week, and it’s a question more and more businesses are facing. Ever since Facebook introduced Facebook Connect in 2008, websites have had the option of allowing users to create and log into their accounts using only their Facebook IDs, rather than a username and password specific to that particular site. While the appeal of the program is clear, however, some businesses have been rightfully wary of participating.

For users and customers, the ability to log into a site using Facebook Connect means — they have one less password to remember — and a much faster path to signing up for and using your site in the first place.  For businesses, the ability to offer that fast path is enormously compelling, which is why so many sites do use Facebook Connect, often alongside other login options provided by Twitter, Google, and others.

These third party login tools promise more traffic, more subscribers, more members, more customers and more sales — and those promises have come true: as some have noted, up to 80% of web users choose Facebook Connect or another social authentication option when it’s available (as opposed to signing up for a site with their email address), and Facebook itself has claimed that social authentication increases registration by 30-200%. While some have questioned whether these numbers are the product of social login itself (email marketing powerhouse MailChimp concluded that the real benefit came from better handling of login failures, and abandoned social login), the case for social login remains compelling.

But is that promise worth the price of losing direct access to your customers’ contact information and profiling information — or for that matter, direct access to customers themselves?

In our company’s business — running online customer insight communities for companies around the world — smoothing the sign-up path is hugely valuable. Vision Critical’s clients run communities ranging from a few thousand customers to tens of thousands; the easier we make it for customers to sign up for a community, the sooner they can start providing their feedback on products, services or ad campaigns. If Facebook Connect makes it faster for people to join a community, we found ourselves asking, do we really care whether we know their email address, or whether we only know their identity through Facebook?

The question was still hanging in the air when I turned to my computer on Thursday to quickly check one aspect of the Facebook login experience. But when I pointed my browser to Facebook, instead of my familiar news feed, I saw this message: “For security reasons your account is temporarily locked.”

It turned out there was no quick fix for this issue, as it would need to reviewed individually by Facebook. Since this transpired on Thanksgiving Day (a workday for our Canadian office), I reconciled myself to a multi-day wait.

What’s important to note for businesses that provide a social login option, however, is that I was not alone: enough Facebook users have been locked out to earn media attention, in what Facebook ultimately described to me as a mistake. These lockouts affect these individual users’ experience with (or without!) Facebook, but because of Facebook Connect there is also a much larger impact.

When I got an email the next day notifying me of a Black Friday sale on one of my favorite shopping sites, I clicked the link to log in — only to realize that my account for that site was set up through my Facebook ID. The same was true of many of the sites I would normally visit on my Black Friday rounds: from Fab to Fancy, from TravelZoo to Living Social. My Facebook ID was the gatekeeper to my shopping experience, and for this critical sale day, the gates were locked (unless I wanted to create a new set of accounts, and re-enter my address and other details on each and every site).

My experience highlighted the risk to those sites of using Facebook Connect, or for that matter, any third-party authentication service. Every customer or user that you as a business gain through this expedited path is a customer you can lose — or lose access to — just as quickly. Facebook’s recent spate of account lockouts is a perfect example of how third party authentication puts your subscriber or customer base at risk. As designer James Reffell points out in his excellent deck on Authentication Design Best Practices, “The more 3rd party services you use for critical infrastructure, the more you’re at their mercy….Facebook has amazing uptime, probably better than yours, but if you’re relying on them to handle your authentication, you now have theirs plus yours. And there’s nothing you can do.”

Unfortunately, forgoing social authentication is not the answer either, as its usefulness has proven. But as websites implement such authentication, they need to include risk mitigation in the game plan, as this weekend’s lockout reminded me. If you let a third party provider hold a customer’s only key to your website, that provider’s tech failures, security protocols or business challenges become your failures, protocols and challenges.

Getting each and every customer’s email address, even if it’s alongside a social login, is the best way to ensure that you can still reach your customer (or vice versa) even if social authentication fails you in some way: you simply need to prompt users for a email address once they have connected via their social network of choice.

Missing a few days’ worth of my family photos and stream-of-consciousness updates may not be a big deal to Facebook itself, but for many businesses, arbitrarily cutting off customer accounts in the days before Black Friday and Cyber Monday represents a risk to the biggest revenue-generating weekend of the year. Do you want to leave that decision up to Facebook?

Laat een Reactie Achter