Registration sucks. Having to reregister for yet another site or build a registration for your service is a pain. Stop registering for new services and making people register for new services. Instead, in just a few hours, you can use Facebook or Twitter's sign-in system to create a verified user account for your web application or site. At SocialDevCamp, Chicago, Chris Grove, chief technology officer of KeyLimeTie, a software development company, gave a really good basic presentation on “Social Sign-In 101: What it is, why you want it and how you can make it happen.” Here is a presentation summary and follow-up interview. What is Social Sign-In? Social sign-in enables visitors to register for your website or application using their existing, and often preferred, credentials. If you make people create a new user account, it’s a barrier to getting them started. Use a third-party service such as Facebook, Twitter or OpenID as an identity provider. The features they offer range from simple authentication to advanced social integration, such as social sharing and posting on user walls. Don’t confuse authentication with authorization. Authentication is who you are. Authorization is what you’re allowed to do. Once you authenticate someone, your app will still create a user record that you’ll have to track their activity within your site or application. Advantages of Social Sign-In
- Reduces “login fatigue”
- Increased conversion rate when you make it easy to sign in
- Better contextual data – you can connect friends’ activity within the site/app
- Reduces implementation effort (do you really want to write another YAAS [yet another authentication service])?
- Increased security
Why You Don’t Want to Create your own Authentication
- Only 25 percent of users are generally willing to complete a registration
- Of that, 76 percent give incorrect/incomplete information
- When they forget their password, 45 percent leave a website rather than resetting
- Most users are willing to return to – and purchase from – sites that automatically recognize them
Source: Janrain 2010 study: "Consumer Perceptions of Online Registration and Social Sign-In" When Don’t You Want to Do social Sign-In?
- Handing off critical site functionality to a third party.
- Regulated industries may have issues.
- Increased operational costs – some start off free but once you hit a certain usage there’s a cost.
- Changing APIs can be a problem – Facebook has done this. Twitter dumped Basic Auth. You have to be able to react quickly when there are API changes. Third party providers can manage this.
How Do You Do Social Sign-In? The basic model: you call a site to authenticate a user. In return, you get a token. Use that token to get user information, which is returned to your site. You’ll have a unique identifier that servces as your user record. Best Practices
- Use social network branding – People like Facebook and Twitter. Make those logos very prominent. Take advantage of their brand awareness.
- Offer multiple ID providers – Don’t only offer one service. For example, while Facebook is popular, not everyone uses it.
- Provide reasons for people to register – Explain what the value proposition is for signing in. Combine sign-in and registration.
- Use available data to streamline registration - If you ask them to sign in with Facebook, and then you prefill a form for them, it speeds things up.
- Link existing accounts – If a user has an existing account, make it easy for them to link it to a social sign-in.
- Give clear confirmation once a user is signed in – They can visibly see it and there are new capabilities.
- Analyze to optimize – See which identity providers your visitors use the most. Note the order in which the icons are placed.
Implementation You have two choices:
- Write APIs for each individual provider, or use an aggregate API.
- Roll your own code, use a stand-alone API, or use an API that calls to a service.
Providers and APIs
- Identity Providers - Facebook, Twitter, etc.
- Stand-alone APIs - HybridAuth (PHP), OmniAuth (Ruby), SocialAuth (Java)
- Service APIs - Janrain, Gigya, Windsoc
If you make a mistake, or choose a service and API you don’t like, don't worry, it’s not too hard to rip one provider out and swap in something else, said Grove.