| ▲ | palata 9 hours ago |
| > Your users expect "Sign in with Google" and "Sign in with Apple."
You can add email/password and passkeys, but removing social logins entirely is a conversion killer. I know this is true, but I genuinely don't understand it. I want email/password and passkey, I will always go out of my way to avoid "Sign in with ...". I just don't get why people love this. |
|
| ▲ | williamdclt 8 hours ago | parent | next [-] |
| You really don't? It's just a ton easier for most users: it's (almost) like already having an account. Just click a couple times and you're in, no typing at all, no email confirmation or anything like that. I also avoid it because I'm concerned about being over-reliant on google (what if they close my account?) and I know how to use a password manager, but I easily understand how 90-99% of the population doesn't care enough and goes the low-friction route. |
| |
| ▲ | advisedwang 40 minutes ago | parent | next [-] | | > I also avoid it because I'm concerned about being over-reliant on google (what if they close my account?) Most if the "sign-in with google" accounts I have seen treat it as a shortcut to creating and logging in with an account with the primary email address of the Google account. So you can hit "reset password" and get a conventional password log-in to an account you previously made with the Google auth. If you get locked out of google, it's NBD. Of course, this is probably not universally the case. | |
| ▲ | yuppiepuppie 7 hours ago | parent | prev | next [-] | | Not to mention that B2B SaaS needs to provide the login methods that their customers need for their operations, and these typically rely on Google, Microsoft, Okta, etc. I work on auth for a European startup and this is the case. | |
| ▲ | palata 6 hours ago | parent | prev [-] | | That users choose to link their account to Google when they can does not surprise me. What surprises me is that if they cannot do it, they will just leave. The post says it is a "conversion killer". | | |
| ▲ | bdcravens 5 hours ago | parent | next [-] | | It's not so much that they'll leave, as much as some percentage will abandon during the signup flow. I know somewhere out there are statistics on those who have to click a link in an email only to get distracted by other emails, to say nothing of the time to fill out forms, create a password, save to password manager, open your 2FA app for the more advanced users, etc. | |
| ▲ | Mawr 10 minutes ago | parent | prev [-] | | The higher the friction, the lower the probability of conversion. E.g. Amazon famously found every 100ms of latency costs them 1% in sales. At its most simplified, this can be thought of as a simple function of time — the more time something requires, the higher chance something else happens during that time, invalidating the original task. The best sign-in flow is none at all — that's what e.g. Discord does. They let you use the app immediately, with an automatically created provisional account. Amazing user experience. This applies universally — convenience is everything. |
|
|
|
| ▲ | snayan 7 hours ago | parent | prev | next [-] |
| I assume your circle is mostly tech people? Outside that bubble, it's pretty obvious. People just want easy, don't understand security in many cases, it's the simplest path. Even absent the above. Imagine a signup flow. I can either click <Sign Up With Google> or I can go through a manual flow with input fields. The former is much faster than the latter. It surprises you people choose the path of least resistance? |
| |
| ▲ | palata 6 hours ago | parent [-] | | It does not surprise me that people choose the path of least resistance. I find it sad that they happily connect everything to Google/Apple. What surprises me is that it is a "conversion killer". So if you ask people to create an account, it's sooooo very hard for them that they will just leave. And spend the next 30 minutes scrolling TikTok, I guess? | | |
| ▲ | touristtam 5 hours ago | parent | next [-] | | How many services do you have subscribed to? from simple PHPBB boards to very much official product and online shops? How do you manage all those username/password? The single point of failure of relying on Google/Apple is real, but so is the manual and laborious process to auth via email/password and the managment that goes with it. | | |
| ▲ | palata 4 hours ago | parent [-] | | I have 400 entries in my password manager. I manage them with my password manager. There is no single point of failure. | | |
| |
| ▲ | snayan 5 hours ago | parent | prev | next [-] | | It definitely surprised me just how lazy humans are on average. The amount of effort people are willing to exert on sign ups, etc... The drop off with each additional field blew my mind. | |
| ▲ | bdcravens 5 hours ago | parent | prev [-] | | Probably suggests that the service is less valuable to them than TikTok. | | |
| ▲ | zbentley 2 hours ago | parent [-] | | You'd be surprised. I've worked on a municipal/local-area webapp that launched with auth and a create-account form. Userbase in the low 100ks, a few interactions a year. It was an ordinary create-account form: name, address, email/phone, no payment info or government ID. The only alternative to this service--and I do mean only--was to go into a city office and wait in line/fill out forms. Failure to do either resulted in a fine (I forget how much; in USD it would have been less than $50 I'm pretty sure). Before we added SSO, huge numbers of users would enter but never complete the signup flow. We assumed they were making the (baffling) choice to take time to go to an office and wait inline over filling out a web form. A year later, we added Google and Facebook login. Failures to finish signup dropped to almost zero (a lot of folks were still bailing out of the manual create-account form without finishing, but they were then falling back to Google/Facebook). More surprising, that year the net number of signups (across web and brick and mortar) more than tripled. People weren't choosing in-person over a filling out the create-account form. They were choosing to pay a fine instead of filling out the create-account form. So ... I don't know about "less valuable than TikTok", but a lot of folks' decisionmaking sure is wild. |
|
|
|
|
| ▲ | willy__ 9 hours ago | parent | prev | next [-] |
| People usually have either one or the other account already, because it came with their smartphone. It is friction less from their point of view. |
| |
| ▲ | palata 6 hours ago | parent [-] | | Sure, but what the post says is not that they will go for the easier path. It says that if they don't get to link their account go Google/Apple, they will completely give up (it is a "conversion killer"). | | |
| ▲ | willy__ 6 hours ago | parent [-] | | Well.. it's the flip side of those social logins being known and proven conversion boosters. If you actively decide against them, you are losing a low effort tool to boost your CR. |
|
|
|
| ▲ | rithdmc 7 hours ago | parent | prev | next [-] |
| HN is going to skew towards people with password managers & concerns about vendors locking you out. I think most people just want low friction - be that 'Sign in with', or passwordless-based authentication like 404media (you want to sign in? You've been emailed a code) |
| |
| ▲ | lII1lIlI11ll 5 hours ago | parent | next [-] | | > passwordless-based authentication like 404media (you want to sign in? You've been emailed a code) How is this low friction to manually copy/paste a code from email as opposed to allow a password manager to log me in automatically?! This kind of authentication is the stupid current trend I hate the most TBH. | | |
| ▲ | rithdmc 4 hours ago | parent [-] | | > > HN is going to skew towards people with password managers | | |
| ▲ | palata 4 hours ago | parent | next [-] | | Towards people with password managers, or towards people who want to have the freedom to choose how they log in? I also hate those damn login emails. | |
| ▲ | lII1lIlI11ll 4 hours ago | parent | prev [-] | | But everyone has a password manager now. They come builtin to all major browsers, Apple ecosystem, etc. My non-technical girlfriend uses one. | | |
| ▲ | rithdmc 4 hours ago | parent [-] | | Yeah, and I support anything that makes security by default easier. I'd love to see adoption numbers for in-browser password managers, though, because I feel it's not very high yet. | | |
| ▲ | palata 3 hours ago | parent [-] | | > I'd love to see adoption numbers for in-browser password managers, though, because I feel it's not very high yet. Why specifically in-browser? | | |
| ▲ | vel0city 2 hours ago | parent [-] | | Because without that the argument of "everyone has a password manager" fails. Tons of people don't have 1Password or Bitwarden or Lastpass or KeypassXC or whatever. So sure, they might technically have a password manager installed, in that every major browser has a password manager included. But do they actually use it? That's what really matters. | | |
| ▲ | rithdmc an hour ago | parent [-] | | Yeah, this is why. "in-browser" was unclear when I also meant the iOS ecosystem password manager and stuff. |
|
|
|
|
|
| |
| ▲ | Macha 7 hours ago | parent | prev [-] | | I'm not sure non-technical people have a good understanding of or experience with password less email login either. While doing tech support I've seen people get very confused at the need to open another app to login in or the fact that they're now logged in in the webview of their email app and not logged in in the app or browser they had been using (especially if the first thing that web view does is pop up a giant "try the app" modal) | | |
| ▲ | rithdmc 7 hours ago | parent [-] | | I can't stand the 'use the app' nag modals! Thanks for your insight. Outside of being a consumer, and as a security engineer one who appreciates things like passwordless, my experience comes from my employers passwordless rollout. The sentiment is broadly positive, but we would veer to a technical user base, and sentiment misses the nuance you brought up. |
|
|
|
| ▲ | jlokier 5 hours ago | parent | prev | next [-] |
| Something I didn't see in the other comments is users who are using the startup's service for work, as an employee. Why wouldn't you choose the simplicity of "sign in with Google" if your work email is on Google Workspace, using the entire Google suite of business tools for everything (gmail, chat, meet, docs, drive, auth, etc) any everything you do at work is known to Google anyway? Making an email/password account with your work Gmail is just extra steps, one more password to store, and perhaps the inconvenience of one more 2FA thing. Google gets the same information either way. Similarly why wouldn't you choose the "sign in Microsoft" if your work is all in on the Microsoft suite of business tools (teams, office, onedrive, auth, etc.) and everything you do at work is known to Microsoft anyway? |
|
| ▲ | s_dev 5 hours ago | parent | prev | next [-] |
| > I just don't get why people love this. For a single personal user it's only a small bit of friction but if you're in charge of 30 people SSO is a godsend for boring compliance work and managing groups of people. You want to change a domain in the company not a big deal. Don't have to rotate passwords every quarter, need to restrict an employee from a service etc. You aren't imagining other challenges other than your own here. |
| |
| ▲ | palata 4 hours ago | parent [-] | | That is an interesting take, but it's off topic. The post says that if you don't have the SSO, it's a conversion killer. I.e. users just won't log in if they cannot do it with an SSO. Of course companies use SSO because it gives them more control over the employees accounts. I understand why company do it. |
|
|
| ▲ | rebyn 3 hours ago | parent | prev | next [-] |
| “Sign in with Apple” allows me to use a random “Hide My Email” address for services that I can’t bother with so it’s absolutely a godsend for me. |
|
| ▲ | oytis 4 hours ago | parent | prev | next [-] |
| > I just don't get why people love this. For the same reason why companies implement SSO for employees? It's just easier to have one account with one password to rule them all. |
| |
| ▲ | palata 4 hours ago | parent [-] | | Companies implement SSO to have control over the accounts of their employees... Pretty sure they would still do it if it was more complicated. And that is also why companies don't allow employees to use anything other than the SSO. | | |
| ▲ | oytis 3 hours ago | parent [-] | | Well, it gives you easier control of your accounts too. Just one entry point for everything, no need to track password leaks from dozens of services (you still need to keep an eye on whether Google has leaked your password, but in that event everyone will know and be working hard to fix it). From the point of view of technical people it would be easier to achieve the same with password managers, but for the rest of us Google provides a smoother user experience. |
|
|
|
| ▲ | zbentley 3 hours ago | parent | prev | next [-] |
| It's a few things (source: I've worked on some large online B2B systems and seen signup flow funnel data for some even larger B2C systems): 1. Ease/laziness as others have mentioned. Even for a service that answers a real need, many users will bail out of the signup flow and just ... leave that need unsatisfied when they see a web form. 2. Underreported: google/apple sign-in buttons make it feel like you already have an account. The fact that the "grant access" new-signup request is a second screen and that "sign up" and "sign in" (with Google/Apple/Github/Facebook/etc.) are the same buttons to enter the funnel is huge. It's not that users are confused/forgetting whether they already have accounts (though some are); rather, it's psychological momentum created by the ambiguous language. 3. Trust and consistency. Nontechnical users just trust the recognizable brand buttons more. They don't necessarily know why/know how auth works, but they know that a lot of data breaches happen and are scared. The fact that the embed button almost always looks the same/familiar is massive. I suspect that it would also be a conversion killer if the "sign in with apple/google" buttons were styled to look totally different and not contain logos. 4. A lot of semi-technical folks don't like remembering passwords (and password managers--even good device-integrated ones--aren't as reliable at autofilling as a lot of casual users would like). Others know that it's a bad idea to reuse passwords. As a result, people use the button that doesn't require them to pick a password they'd have to remember. 5. Impression of privacy. Some (especially older) nontechnical users have a significant aversion to typing in their personal info (name/address/CC number) into online forms, so they pick the option that doesn't require that. 6. Technical people who prefer SSO because it gives (on the SSO provider side) a list of every integrated account; better permissions control (for services that integrate with e.g. Google for more than just login); a marginal chance of a little less data being stored on a service's servers versus the regular make-an-account option; somewhat fewer opportunities for a service to screw up auth by building it themselves wrong. This demographic is small compared to less technical users. That's all presented without comment. Some of those points are based on exploitative provider behavior, or user ignorance. I'm just explaining the decisionmaking factors, not defending them. Add all those up, and you definitely get a conversion killer. |
|
| ▲ | apexalpha 7 hours ago | parent | prev | next [-] |
| My email goes to the same company I can login with so might as well tap the button. |
| |
| ▲ | palata 6 hours ago | parent [-] | | But if there is no Google/Apple button, will you just leave? Like not even create an account? That's what "conversion killer" means. | | |
| ▲ | bdcravens 5 hours ago | parent | next [-] | | I may start to create an account, but after about 30 seconds of effort, I'll start asking myself if it's really a service I care about. Send me an email? If it's not there by the time I click my email tab, odds are pretty good I won't wait around unless it's a truly compelling offering. Want me to fill out a form? If it's anything more than just an email and a password field my password manager can complete for, again, I'll question whether I want you to have that info about me. So no, I may not leave, but each tiny bit of friction increases the possibility of abandonment. From the perspective of conversion, abandonment is the same as "just leaving". | |
| ▲ | apexalpha 6 hours ago | parent | prev [-] | | I won't but a decent % of people do ye. In fact a decent % of people stops shopping on your site if there's a few ms lag. At every step a few percent of revenue is lost your competitor takes in. | | |
| ▲ | throwaway063_1 3 hours ago | parent [-] | | > In fact a decent % of people stops shopping on your site if there's a few ms lag. While it's still true, I have read that the accepted lag today is higher than 10-15 years ago, because they have lower expectations due to a general decline in page load speed. (React pages with spinners/placeholders, newsletter popups, higher page weights etc.) |
|
|
|
|
| ▲ | hnarn 7 hours ago | parent | prev | next [-] |
| > I just don't get why people love this. I wonder if there will ever come a day where the average HN user actually understands how normal people use technology. Just observe anyone in your social circle that does not "care" about technology and you'll see their reaction to a login prompt when trying, not rarely under time pressure, to access a service they haven't used for a while. They will sigh, maybe roll their eyes. And who can blame them? The same goes for registering to a new service. Normal people don't use password managers, they don't have Bitwarden with auto-fill, nor do they ever "generate" passwords. "Sign in with..." offers them a way out of a frustrating experience, it's the device telling them "Hey, would you just like to use this thing you're already logged into instead?" -- yes, obviously they would like that. |
| |
| ▲ | palata 6 hours ago | parent [-] | | > I wonder if there will ever come a day where the average HN user actually understands how normal people use technology. Well, I wouldn't say I don't understand it. If someone uses their smartphone as a hammer, regularly break it and regularly buy a new smartphone, I understand what they are doing. I just don't understand why they are doing it, I guess? In this case, the post says that it's a conversion killer. So people are so damn lazy that if they can't click on "share the information with Google", they will just leave. | | |
| ▲ | jlokier 5 hours ago | parent [-] | | Both available choices "share the information with Google" for most people. The majority of email account creations use a Gmail or Google Workspace address, so Google gets the information either way, and in Europe most use Android so can't sign in with Apple. | | |
| ▲ | palata 4 hours ago | parent [-] | | Again that's off topic. I'm not talking about the fact that people choose the Google SSO instead of username/password. I'm talking about the fact that people choose to not use the service if there is no SSO. | | |
| ▲ | vel0city 2 hours ago | parent [-] | | Because they don't want to have those experiences where they sigh, roll their eyes, then try and remember a password they made months ago just so they can continue using this thing they signed up for. So they just skip the service altogether. |
|
|
|
|
|
| ▲ | aa-jv 8 hours ago | parent | prev | next [-] |
| In my experience its been the users who principally only have a mobile phone - i.e. no desktop - and therefore want the benefit of the phone-managed account system tied to .. biometrics, etc... |
|
| ▲ | bjourne 9 hours ago | parent | prev [-] |
| Heard of haveibeenpwned? You'll end up there, eventually. |
| |
| ▲ | vikaveri 8 hours ago | parent | next [-] | | If you end up, for some reason, being one of those unlucky individuals whose Google account gets banned and all your other accounts are behind Google login, then you truly have been owned. | |
| ▲ | zelphirkalt 8 hours ago | parent | prev | next [-] | | You mean when using "sign in with" and then using a shitty password for your social media account? If you use e-mail and password with a good password manager, that runs locally on your device and generate good random passwords, it is unlikely you will end up on haveibeenpwned, and even if one website does shit, the blast radius is only one account on one website. | | |
| ▲ | bjourne 8 hours ago | parent [-] | | You'll still have your e-mail address exposed, which you may not want if it is to some random porn site. Moreover, password managers do not work if you use multiple devices for log in, which most people actually do. | | |
| ▲ | Sharparam 7 hours ago | parent | next [-] | | I use my password manager across multiple devices daily. Apparently it has not been working without me noticing it? | | |
| ▲ | bravetraveler 5 hours ago | parent | next [-] | | I assume they're thinking about the 'offline' style where one would shuffle a database file and probably resolve conflicts. There's an app/extensions nowadays, man! I don't even bother with a VPN, just occasionally push a 'sync' button on the roaming devices [when they return to LAN]. DB transactions [new credentials] averages ~0 per month... but there's plenty of capacity. Works extremely well. | | |
| ▲ | quadruple 3 hours ago | parent [-] | | The truth is that even with KeePassXC, I just really do not notice stale passwords across devices.
It's just really not a huge deal for me personally. Maybe it is for normal people.
I sync my databases maybe once a year if I'm lucky. | | |
| ▲ | bravetraveler 24 minutes ago | parent | next [-] | | Right, that's what I was trying to emphasize. Rare syncs are totally fine here, too. I try to keep a routine but tend to slip. If not 'with my usual device' there's a tiny number of accounts I even need. They rarely change so the cache is usually fine. Password management for an individual is no big deal. For an organization, however... send help. | |
| ▲ | palata 3 hours ago | parent | prev [-] | | Same here. I use pass, and I just don't create/update passwords that often. And synchronising is very easy (it's a git repo). |
|
| |
| ▲ | bjourne 3 hours ago | parent | prev [-] | | ... And how do you access the passwords that password manager manages? | | |
| ▲ | palata 3 hours ago | parent [-] | | With the "password manager" program? I have one on my desktop and one on my smartphone. How do you expect to access the passwords that the password manager manages? | | |
| ▲ | bjourne 2 hours ago | parent [-] | | ... Can everyone in the world ready our passwords or are they "protected" somehow? |
|
|
| |
| ▲ | throwaway063_1 3 hours ago | parent | prev | next [-] | | If you sign in with Google, the site knows your gmail address. | |
| ▲ | flexagoon 7 hours ago | parent | prev [-] | | Email aliasing is a thing |
|
| |
| ▲ | bravetraveler 8 hours ago | parent | prev | next [-] | | Risk Bob's Salad Shack leaking an inconsequential, unique, credential or bind everything to the whims and identity of a single organization; hmm. | |
| ▲ | Nextgrid 8 hours ago | parent | prev | next [-] | | Ending up on HaveIBeenPwned is only a problem if you reuse passwords. | | |
| ▲ | bjourne 3 hours ago | parent [-] | | Nope. It is a problem if you reuse email addresses. | | |
| ▲ | palata 3 hours ago | parent [-] | | Are you saying that you reuse the same password everywhere, but a different email address every time, and you feel confident that having your password leaked won't have repercussions? I am genuinely confused. Sounds like holding a gun from the wrong end and feeling protected by it. |
|
| |
| ▲ | raincole 8 hours ago | parent | prev | next [-] | | Password manager. Before inevitable "what if your password manager is hacked...," what if your google account is hacked / banned? | | |
| ▲ | palata 3 hours ago | parent | next [-] | | Agreed. Just wanted to add: > Before inevitable "what if your password manager is hacked My passwords are encrypted with a security key. I think it is more likely for my computer to get compromised than for my password manager to leak the passwords. Admittedly, if I lose all the security keys at the same time, I lose all of my passwords. | |
| ▲ | 63stack 8 hours ago | parent | prev [-] | | You don't even need a password manager, browsers autogenerate secure passwords for you, and they sync between computers/mobile devices. (I'm saying this from the perspective of "regular people don't want to be inconvenienced like that, obviously you should use an external password manager for security) |
| |
| ▲ | palata 4 hours ago | parent | prev | next [-] | | - Complains about age verification because it is "not private" - Uses Google SSO to sign in everywhere | |
| ▲ | danelski 8 hours ago | parent | prev | next [-] | | Sign-on with the external identity provider doesn't help if data related to your account like the billing information, your government ID info etc. are released in the breach, that's the sore point. | |
| ▲ | wraptile 8 hours ago | parent | prev [-] | | People will know that my password was y!2TvM8h3dpvw4 for one particular website at some point. What do I lose here? Google/Apple incurs much greater risk that is entirely out of your control. |
|
