With timeline-maker.com we decided to use exclusively third party logins: Google Account, Facebook, Yahoo and OpenID are available. We did this to avoid the overhead of having to develop authentication ourselves, and because it felt like it was reducing a barrier to entry – not having to register, click on links in confirmation emails etc.
We’re using the Janrain service, which I have to say excellent. It integrates with Rails really beautifully allows you to deploy authentication through numerous services. If you weren’t using Janrain, using a third party logins to reduce development time would be an own goal – even if you only support Google, Facebook and Yahoo the creeping drag of keeping up with any updates to their authentication process is a potential nightmare.
But lets say you do decide to either use Janrain or do the development yourself. The first problem is the questionable quality of the data you are going to get. For example, many people have Facebook or Yahoo accounts but don’t regularly check the associated email addresses. Even if they are active addresses, you might need to confirm with the users that you can use those addresses to send mail (though Campaign Monitor & Mail Chimp seem to disagree about this). This extra step negates part of the ease of use you got from the automatic login. Additionally, I’ve noticed that you often get horrible usernames from services like Yahoo & Gmail – “xxsun.shine.95xx”, rather than a nice name.
Depending on the permissions you ask for, you will be able to get the users Facebook data, or post to their feed. However, this is a double-edged sword – no matter how honest your intentions, plenty of users are put off by the intrusion that FB auth might represent. Rather than fiddle around with their FB permissions they just won’t register.
Finally, if you offer a bunch of different login options then you’ve transferred the problem of remembering a password to remembering which service you used. This is exactly why I have multiple Stack Overflow accounts – I can’t remember which service I used.
Having been through various permutations, my feeling is that there is a lot to be said for developing your own authentication and, if necessary, allowing people to link a relevant other account to add functionality. The one scenario I’ve seen it work best was on the Monterosa 2-Screen apps:
- You could only login through Facebook – no forgetting which service you used
- You still use most of the features of the site without logging in, so if you didn’t have an FB account it didn’t really matter
- The app let you play against friends, so it made total sense that you used your Facebook account – it wasn’t just a shortcut to harvesting an email address.
Obviously, many factors etc. just a wanted to relate some personal experiences…