See comments for some updates on this topic - especially the change in policy by Facebook around caching values.
One of the topics that came up in my post
Mobile Internet Apple Facebook was around open vs. closed platforms. This issue comes up at the start of almost every new startup company in a variety of forms. I’m constantly struggling with trying to figure out the best way to pull together solutions, especially with how fast things move. In this post, I want to look at just the question of when it makes sense to use Facebook Connect, Twitter Oauth, OpenID, Yahoo Browser-Based Authentication, Google Friend Connect or basically any of the other authentication mechanisms.
Example
What do I mean? Here’s the block that you see when you look at a blog enabled by
Disqus (a third party commenting tool that can be embedded in blogs and other content):
It allows you to authenticate yourself using Facebook Connect, Twitter Oauth (sign in with Twitter), OpenID, and Yahoo Browser-Based Authentication. If you have an account on any of those systems, you can click the relevant button. From there, you will generally see a pop-up dialog similar to the following (this one is from CitySearch):
Once you click Connect, the original site now knows that I’m Tony Karrer from Facebook and the various demographic and friend information from Facebook. That’s it. No registration on Disqus required. Instead, I’m telling it to use my Facebook account as my registration.
In the case of Disqus, they also allow for comments as a Guest. Interestingly, they are not including Google Authentication. Of course, you have to draw the line somewhere. How many Authorizations (single sign-on) systems do you need to implement? More on this below.
Value of Third Party Authentication
Why provide all of these authentication options?
- It makes it easier for users to transact with the system. They don’t have to go through a registration process. In the case of Disqus, you can leave a comment pretty easily which increases the likelihood of the action.
- In case the person isn’t on Facebook, then you want to provide other choices. In the case of Disqus, they’ve provided quite a few – but still have left out others like Google. Providing more choices increases the chances that your audience will be able to use one of these to authenticate.
- If the person isn’t a member of any of these or doesn’t want your site to know about them on these social sites, then you still need your own authentication mechanism. In the case of Disqus, they allow for posting by a Guest. Actually, the blogger has the choice whether to allow this as they might get more spam. Bloggers may require users to register on Disqus to reduce spam.
- By having someone authenticate on Facebook or Twitter, you are also asking for permission to do things on that site on their behalf. In other words, the application often requests permission to tweet or publish content to your wall. Obviously, the goal is to get viral spread through these actions – and to facilitate value for users.
For something like commenting on a blog post, the ability to easily and quickly authenticate yourself is important. The fact that Disqus provides a means for me to authenticate quickly and easily using Facebook Connect or Twitter Oauth is great stuff and definitely increases the likelihood that I’ll leave a comment. I’m less likely to leave a comment if there’s an annoying registration process.
And because it’s so easy, if I’m a blogger and concerned about spam, I might very well turn off comments by Guests.
So in the case of Disqus, it likely makes a lot of sense to have implemented third party authentication.
Does it Make Sense for Other Startups?
Let’s look at what commonly is the conversation with each new startup (and again I’m going to just focus on the authentication portion).
Wouldn’t it be nice if users could register on our site using these same mechanisms?
The same value proposition applies. If your user base happens to be heavily from these social sites, then it will reduce the effort for users to get registered on our site. And every startup believes that the viral possibilities are big – isn’t everyone going to tweet what they are doing on our site?
But let’s look at it a little more closely …
Multiple Authentication Authorities
There’s cost associated with each authentication authority that you are willing to accept. Each one takes a little bit to get wired. And as Disqus just experienced, you may run into bugs that cause that authority not to work for periods of time (I believe they were down with Facebook Connect for a week – ouch).
You also have a weird issue that you can’t tie the user to multiple authorities at one time. Each one acts independently. You may have experienced this yourself. You come back to a site you’ve used before. It no longer recognizes you (cookie has expired or been deleted). And it presents you with the same choices. However, if you can’t remember which authority you used and you choose a different one, then it won’t recognize you as a returning user.
The only way around this is for the application to ask you to login to each of the authorities at the start. You sometimes see this when systems want to be able to send tweets and publish to your Wall.
Think this doesn’t happen – well I’ve run into it several times myself. I couldn’t figure out why twitterfeed was sending out tweets of my blog posts. I would log into the system and it didn’t show me that feed. I later realized that I had two logins. I had originally authenticated myself using OpenID. Later, I created another account by directly registering. I wasn’t seeing the feed because the system had no idea I had two accounts (and I had forgot).
In the case of Disqus, it’s not quite as bad because they basically are using it to derive a name and picture that goes along with the comment. However, when Facebook Connect authentication wasn’t working and I choose to have the system get my name via Twitter Oauth, then the system thinks that’s two different people named Tony Karrer. And you can see two different profiles with different sets of content.
Again, I think it makes sense for Disqus – but this complexity may make the simplest form of third party authentication not make sense for most startups.
Email Address
Almost every startup wants and needs email as a means of notifying users. Take a look at Startup Metrics. A lot of value is derived through being able to reach out in order to convert, retain, refer, etc. I need to do another post that looks purely at notification mechanisms – especially alternatives like direct tweets, Facebook messages, etc. In the meantime, I will say that most startups will want to have an email address for users. For good reason, twitter, Facebook, etc. do not provide access to the email address.
Thus, what you often see is a request for the email address as part of the registration on top of making the Facebook Connect request. I don’t have the numbers on it, but my guess is that this both hurts registration percentages (you’ve just added a hurdle) and likely gets you a lot of bogus email addresses. You can roundtrip the email, but that puts up another hurdle and gets you farther from the immediacy you were going for.
As an example (and coming out of the comments), here's what Going.com does as after you validate with FB Connect:
FB provides and thus Going auto fills:
They need to ask for:
- Email address
- Password
- Permission to send email
Facebook can provide lots of other information - see
Users.GetInfo.
There's a bit of a thorny issue about auto filling. FB's policy is that you cannot store that data.
Bottom Line
This is a post that I’m hoping there will be people who will debate the value proposition with me. Right now, here’s how I summarize it …
For most startups, I’m not going to use third party authentication as the primary authentication mechanism. It’s too risky and problematic.
Instead, I may use third party authentication to get the registration process started. That means that I’ll get a name, picture, some demographic data and permissions on the social site. But I’ll still capture email and establish a separate password.
There’s cost for each of the authentication mechanisms, is it worth it?
- Do I believe I’ll get more registrants?
- How well will I get publishing/viral behavior with third party authentication as compared to a Share button?
- Would the demographic data be valuable?
- Would friend information be valuable?
- Is there a particular kind of messaging on the social site that’s needed?
- Do I strongly believe that inviting friends is going to work well?
Depending on these answers, I may decide that I’ll do it.
Resources
Here are some related articles:
Love to hear your thoughts on this.