SXSW: Social Login Is Magical But Tricky

Facebook Apps In Action

New social websites and applications increasingly piggyback on existing ones, using "login with Facebook," "login with Twitter," or "login with your Google account" functions rather than expecting users to create accounts specific to their own sites or services.

"To the user, this looks like magic," said Matthew Rothenberg, head of product at Bit.ly and moderator of a panel discussion on the topic at South by Southwest. The SXSW panel included representatives from Facebook, Twitter, and Google to talk about the Single Sign-On (SSO) authentication and account integration services they make available to developers. For developers, "this seems absolutely fantastic--and for the most part it is," Rothenberg said. Yet he also cross-examined the panelists on the parts that can be very hard, such as dealing with standards that each service implements a little differently and the pitfalls of reconciling accounts across different services.

"Some of you let me ask for an email and some don't," Rothenberg noted. In order to make sure Bit.ly captures that information, "we wind up doing what you're not supposed to do with SSO, which is throwing up another screen saying we also want you to supply this other bit of information," he said.

Facebook makes email addresses available, with the user's permission, but Twitter does not even though it uses some of the same basic Web standards.

The most broadly adopted standard for authorizing one website to share account information with another is OAuth, which generically specifies the mechanics for interactions like those Facebook pop-up windows that ask you to grant an application a list of permissions for different types of access to your Facebook account. Twitter and Google also support OAuth, and Google also supports OpenID, another standard for logging into one account using credentials associated with another. These mechanisms simplify life for users, who can use many websites without having to remember as many user names and passwords, while also lowering the technical burden on the websites. This is one of the most powerful techniques for boosting viral adoption.

As social login becomes more the norm than the exception, "it becomes all the more of a turnoff when you hit a site that wants you to fill out a signup form," said Matt Kelly, an engineer in the developer relations group at Facebook.

"If I was creating a startup tomorrow, I would start with SSO. I wouldn't want to build my own identity system," said Joseph Smarr, an engineer at Google and a technical lead on the Google+ project.

When a new site allows you to create an account using an existing Web identity, it simplifies one of the thorniest problems in Web development, said Twitter API product manager Cynthia Johanson. "A big part of the signup flow is that you risk losing the user at every single step," she said.

Although all three of the major services can address this requirement, each has a different personality and different ground rules--for example, on the use of pseudonyms as opposed to real names--and might be suitable for different types of applications, Smarr noted.

The services "all have slightly different social graphs and different expectations," Johanson said. The key is that however data is used and shared "to make sure the user is aware of it transparently and that when we work with that data, we do so with the user's permission."

Kelly made the case for Facebook's clear supremacy, however. "We're really leading the charge in terms of figuring things out related to SSO and all the complexity around it," Kelly said. "Even if I wasn't at Facebook, I would definitely start with Facebook," he said, both because of the variety of Facebook services for websites and because Facebook's popularity "helps with distribution." For example, Facebook integration is a big part of the secret of the success of social media startup Pinterest, he said.

Janrain got a few nods from the panel as middleware for connecting to multiple social services, although Kelly cautioned against taking a scattershot approach by trying to connect to every possible service. "I would start with one, or a few," he said, in order to do a good job of integration with the select few. "Most successful companies we deal with A/B test everything," he said, referring to the technique for testing an application or online experience by exposing segments of the audience to alternative versions and measuring which gets the best response. Picking a more manageable number helps make that practical.

Rothenberg also warned that implementing social login can be deceptively simple. He found that out in a previous role at Flickr, "where we created a lot of problems we weren't aware of when we implemented this." Suddenly the biggest complaint coming in to Flickr support, he said, was to the tune of "Oh my God, you deleted all my photos, you bastards!" When the software failed to match a social login with an existing account, it would create a new account, and people would wind up logged into an account that looked like it was theirs except that it was empty.

"That tends to freak people out," Rothenberg said.

"I think we need to do a better job of leading by example," Smarr said, by pointing out the best and most successful social login implementations. "We need to give people a recipe to follow. We have reasonably good answers for these things now."

Follow David F. Carr on Twitter @davidfcarr. The BrainYard is @thebyard and facebook.com/thebyard

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 26-29 in Orlando, Fla. Find out more.