Why I'll never pick the 'sign in with a Facebook or Google account' option

August 2, 2017

Recently I read Mike Hearn's Building account systems (via), where he strongly recommends that people not build an account system themselves but instead outsource it to Facebook and Google via OAuth. When I read that, I winced; not just at the idea of having 'sign in with ...' as my only option, but also because Mike Hearn's arguments here are actually solid ones. As he covers, it is a lot of hard work to build a good web account system and you will probably never be able to do it as well as Google and Facebook can.

I have any number of moderate problems with big-site OAuth, like how it gives Google and Facebook more information on my activities than I like (information they don't normally get). But this is not the core reason why I assiduously avoid 'sign in with ...' options. The core reason is that when I sign in with OAuth, my Facebook or Google account becomes a central point of losing access to many things. If Google or Facebook decide that they don't like me any more and suspend my account (or lock me out of it), I've probably lost access to everything authenticated through OAuth using that account. If I had to use 'sign in with ...', that could be any number of things that I care very much about (for example), far more than I care about my Google or Facebook account.

Facebook is far more dangerous here. Google generally doesn't seem to care if you have multiple accounts, while Facebook wants you to have only one and may suspend it if they decide that you're using a fake name. It's nominally possible to make a separate Google account for each site that demands you sign in with Google; it's not with Facebook as far as I know, at least within their Terms of Service.

(The other issue, as seen in an interaction with LinkedIn, is that using these sites as OAuth sources requires agreeing to their TOS as well as the TOS for the site you really care about. But then, everyone ignores TOSes anyway because if we didn't we'd all go mad.)

I have never personally been locked out of my Google or Facebook account (although I did worry about G+ stuff before the Google Reader shutdown). However, on a global scale it happens to plenty of people (anguished stories about it show up periodically in the usual circles), and I actually know someone who is currently locked out of their GMail account and is rather unhappy about it. As a result, I very much want to separate out all of my online accounts and I basically insist on it. So for entirely selfish reasons I certainly hope that web sites don't listen to Mike Hearn here.


Comments on this page:

For years now, I have wished that there was a way to centralize authentication across websites but where the auth server was under my control. If such a system existed, I think it would address your concerns too.

I imagine that one would register for an account on some website, and then add the custom auth server host information to the account. From then on, one could log in using the custom auth server. (Or directly with the original creds in case the auth server is down!) Yeah, it's sort of reinventing kerberos.

For years now, I have wished that there was a way to centralize authentication across websites but where the auth server was under my control. If such a system existed, I think it would address your concerns too.

There was a system similar to what you describe. It was called Mozilla Persona (previously BrowserID). Unfortunately, nobody significant picked it up so it was eventually killed.

Jeff, this is what OpenID was created for. I actually set one up 10 years ago or so, but it never really caught on (go figure).

Written on 02 August 2017.
« Using policy based routing to isolate a testing interface on Linux
Imposing temporary CPU and memory resource limits on a user on Ubuntu 16.04 »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Wed Aug 2 01:34:07 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.