How to do it wrong : third-party auth, aka “social login”
We probably shouldn’t store other people’s passwords on our own websites. Not unless we have the actual technical know-how, and the physical means, to guarantee a good level of security.
A vast majority of users happily reuse a handful of passwords on dozens of sites. A single weak spot, in any of the services, is enough to compromise the user’s accounts and personal data on every other service.
This happens regularly, and entire databases of email/username and password combinations are readily available on the web. There’s even a tool to check whether you got pwned.
Luckily, we can rely on third-party solutions, like Google, Facebook, LinkedIn or GitHub, to name a few. They take care of the authentication so we don’t have to.
The pros of social auth are plain and clear :
- No need to store passwords, your security stands on the shoulders of giants
- Easily pre-fill fields like e-mail, for a faster registration experience
The main con, forcing people to use a third-party service, can be removed by not making third-party auth compulsory. You don’t need to force this on users. Most online services give users a choice : the email + password combo, or the third-party authentication.
Unfortunately, even though the use of third-party authentication has increased recently, many services are using it plain wrong. Here are two scenarios I’ve encountered over and over again.
Asking for a password
Some services offer third-party authentication, only to ask you to set a password one step later.
This is deceptive. We just traded some of our privacy by giving access to our social account, and you are turning around and asking us for a password. This looks sketchy, and now you’re just expecting us to trust you with our personal data.
It’s also pointless. All you’ve accomplished is pre-filling user data that would have taken seconds to fill-in, like my email field.
Signing up users who are trying to log in
I’ve seen this pattern many times. It’s even built in some plugins and libraries that enable third-party authentication.
A user clicks on “I already have an account”. They probably don’t remember if they made their account with Facebook, Google or their Yahoo email adress. They click on “Google” to see if it’s the right one, and BAM they get unwillingly signed up into the service with a second account, using their Gmail adress instead of their usual Yahoo adress.
This is, again, deceptive. You just forced a user into creating an account without their consent. If you’re in the EU, you’re in big trouble for privacy non-compliance.
It’s also, again, pointless. You’ve just frustrated a user, and split their data among two different accounts. Now they’ll email you if you don’t have an easy account-deletion process.
You should have two different user routes for signing up and logging in, whether by email + password or by third-party authentication. This will avoid accidental account creations and frustrations.
Conclusion
Third-party authentication is a good thing, as long as you follow these rules :
- Don’t make it compulsory
- Don’t go against the pattern
This was my first medium write-up, hope you enjoyed reading !
