Lady Gaga And The Death Of The Login
These days, it’s hard not to know about Lady Gaga (and if you don’t know her, here’s her latest music video to get you started). She’s become one of the hottest pop acts in the world, all by combining music, fashion, and a little bit of “Andy” (either Warhol or Kaufman – take your pick). So what does this have to do with software? Well get this: an astonishing 89% of the people who create an account on LadyGaga.com choose to do so using third party authentication from Facebook, Twitter, or Myspace.
Just think about that for a second. That means that nearly 9 out of 10 people creating special purpose web accounts are doing so using their social networking platforms (skipping all those annoying new account questions like password, age, location, and favorite pet in the process).
This is huge, and it represents a big shift in the way people are going to interact with your website in the future. If 89% of users are doing this on a mass market website like LadyGaga.com, then I guarantee they’re going to be doing it on other sites as well. So what does this mean?
This presentation (PDF) from Brian Ellin of JanRain, the company that developed the authentication for Ms. Gaga’s site, provides some great answers and ideas. For example, good services like Facebook or Twitter will have already verified the user’s email address, meaning you won’t need to do that again. They also handle the user’s passwords, take care of tracking all 15 of their email addresses, and know all that extra information about their age and location.
Third party authentication can also simplify joining a site. By using simple buttons and small popup windows to complete the login process, you can avoid taking the user off the site and away from the action. In many cases, once a new user has logged in for the first time, their future logins can be completed with the click of a single button.
With all that in mind, these fancy new authentication systems deserve careful scrutiny by security experts and software testers. Most of these third party authentication systems have a good reputation, and there’s no reason to believe otherwise. However, good testing is always essential. Here are a few things for testers to consider:
- Does the site log you in correctly?
- Does it let you logout or disconnect?
- Does the site adhere to the social network’s privacy guidelines? In other words, will the site spam your friends, fill your wall with garbage, and take your personal information without your consent?
- What happens if you login with multiple systems (eg. Facebook and Twitter at the same time)?
- Can you manage your settings for things like email notifications and reminders the same way as if you had created an account the old fashioned way?
- Does the site offer a way to merge accounts? Does it work?
- How often does the site post things to your social network, if at all?
Have you used third party authentication? I would be interested to hear what you think about it, either from a development or testing point of view.
Federated identity management is the wave of the future — I think it’s not going to be long before corporations are registering their employees with a commercial shibboleth-style authentication provider with local caching, and then using that authentication for all major services in the enterprise, as well as external services, possibly even physical security like touchpads and card swipes.
Wow Rick, it’s been a long time since I’ve heard about Shibboleth. Blast from my past…
So let me ask you something: is there even a future for “internal” authentication at all? If I have an identity set with Google or Facebook, do I need another one at my school or work?
Looking at the site, the answer to “why” is obvious. For once, the usability of the site login is great, it emphasizes the login through different accounts, and from that point of view they are shown as primary means to log in.
Thinking about usability, we have to consider that most people are stupid and lazy, and only do what seems to be the most obvious (if there’s no “obvious”, that’s bad usability). They don’t choose to login through facebook because it’s possible, but rather because they are told to do so. The buttons are clear, highly visual and well positioned whereas the “sign up” link is hardly visible.
So I wouldn’t say that it’s because users are getting used to 3rd party login or realizing the possibilities. It’s because web designers are and they can control people to some extent. Bring it to them, and they will use it. It’s not that they have realized its possibilities in masses, that would be overestimating the crowds’ intelligence.
Matti – great perspective. The “design factor” is a huge part of the success or failure of outside authentication.
@RickRussellTX:
Federated identity management is the wave of the (not-too-distant) future.”
Did you see this news?
http://blog.internetnews.com/kcorbin/2010/03/feds-tapping-google-paypal-equ.html