Although this has been around for a couple years now, I still see people refuting the third-party login systems and saying they do more harm than good. But there are a few good reasons to use them!
For big sites, you will want your own login. For example, your bank, your twitter and other social networks, your google conglomerate of a profile, etc. But what about those other websites that you also would like to register and subscribe to?
This is where I feel that there is a big misconception over the login features. Both google and facebook have a system to tell you what they are going to send to that website through logging in through them. But I think the website needs to be clear on their intentions with the information, and that it is actually just as secure (if done properly) than coming up with another password.
I’ve read articles from developers of widely used applications, and they seem to say that the social logins may “give them too many options”, or that “people think it will take their password”. Maybe facebook plagued the login feature by their past implementations that allow a third-party user to post things to their wall when they did not want that. In all cases, it shows that the user does not know the intentions of the platform using the social login, and they have the right to do so. I believe this is a design flaw at this point.
Social logins make it easier to sign in to another service, but also removes the hassle of handling a password for the user, and the account management of the developer. Spam accounts are already dealt with on the facebook and google end, so this can cut back a lot of fake user accounts using fake emails. Heck, if the developer is smart enough to put in a social login, hopefully this means they know a thing or two about security. I wouldn’t want to trust a system that sends my raw password “over-the-wire” or doesn’t hash my password now would I? And even if they find my token insecure, it really only hurts that app and does not compromise anything else.
An example of great social logins in my experience were modern game apps that use your facebook login to see if your friends are playing the same game. No posts were made to my account, and I didn’t have to worry about a password.
Trust is the key in this situation. Just putting a little lock image and a brief explanation next to it might make a world of difference. But be weary, having too many fields might scare away someone trying to log in. I would recommend not making the sign-in buttons too large and redundant with words. And I would suggest to have one option or the other, such as “Sign in” text, then the social login buttons below, then maybe a link to switch back to the traditional username and password form.
For me, as a developer, I see these login methods as an opportunity to cut down on spam registrations, avoid numerous password resets, and sign in without having to retype as password each time (if signed in to the service already). I think the security and benefits just need to be relayed to the end-user, so they don’t think you are trying to steal all of the information from their social media account.
Sounds fair to me. Thanks for reading!