On May 29, Amazon launched the " Login with Amazon " button, which will allow us to use our account to make transactions or interactions on other sites. For example, we can certainly use it to review a book on the Goodreads site (bought by Amazon for around 200 million on March 29). Amazon thus becomes the latest in a long list of digital identity providers .
Let's get to some definitions first, as the terminology for the concepts covered in this article is not formalized.
Single sign-on means using a digital identity that you already have to create an account on a third-party site (and connect to it). For example, I use my corporate Google account to log into our timesheet system, a cloud-based application.
Social authentication adds to the concept of single sign-on that of social integration , that is, the possibility of using the connections that we already have on social networks. For example, by choosing my Facebook account to create an account on Pinterest, the site was able to use it to show me the activity of my friends on Pinterest.
There are many providers: Facebook, Twitter, Linkedin, Google, Foursquare, PayPal, OpenID, Yahoo, Github, etc.
Of these, Facebook is chosen most often by users, with 46%. Google is not far behind, however, with 33%, up.
When choosing which identity providers to offer your visitors, you have to keep in mind the context of your site. For example, GitHub is a good choice for any application that involves programming, but it's completely inappropriate on any other type of site.
If the service is of a personal type, Facebook and Twitter will be particularly appropriate. Incidentally, FourSquare and Pinterest offer precisely these two identity providers.
Google is a good choice since many companies have adopted Google Apps as their email service. In this way, the employee of a company can log in at all times with his corporate identity. Trello and SurveyMonkey apps are good examples.
By making the registration and authentication process easier, one would expect the conversion rate to increase. Indeed, increases have been observed:
88% of Internet users admit to providing bogus data in registration forms. Single sign-on, on the other hand, promotes the use of truthful information, because it is the most obvious alternative that presents itself to the Internet user.
Logging in through a digital identity provider can foster user engagement by enabling:
It is perhaps useful to specify that by using, for example, Facebook for authentication on a site, the latter will not be able to have access to your password. Thus, the mechanism prevents the user from reusing the same password on several systems, a very widespread habit, but not very secure. Also, major identity providers such as Twitter and Google now offer two-factor authentication, which your site will probably never be able to offer given the complexity of implementing such an approach.
In summary, the idea is to transfer the complexity of offering security-enhanced authentication to digital identity providers.
The main disadvantage is the increased complexity needed to implement social authentications. Fortunately, applications such as Gigya or Janrain promise to greatly simplify this process in addition to reducing the maintenance required.
If the identity provider is down, the user will not be able to authenticate to the site. However, if you have the email of your users, it will always be possible, if necessary, to offer them to choose a password.
By offering multiple identity providers, there is a risk that the user will not remember which provider he used to create his account. However, if you encourage your users to connect via several accounts (to find more friends for example), this risk disappears. For example on Klout, all my accounts are connected, because it increases the value of the site for me.
Here are some best practices to keep in mind if you plan to offer single sign-on to your visitors.
Each of the digital identity providers offers access to different data and several of them make it possible to choose the permissions to be requested from the Internet user. A strategic choice is necessary: the user must feel that the requested permissions are justified. In addition, Facebook and LinkedIn allow the user to refuse to give certain permissions, but still continue with the creation of the account.
According to an eMarketer survey , 41% of respondents expressed concern that the site shared personal information without their permission.
A good practice is to dispel these fears with a very clear sentence, positioned near the recording buttons. For example, the Grouper site reassures us with a humorous touch: “ We'll never post to your wall or anything lame. »
The main purpose of social authentication is to avoid creating a username and password. Asking for the creation of a password anyway could disappoint the user and cause him to leave the site.
Many of the American heavyweights offer one or more digital identity providers to their visitors: Pinterest, Fourquare, TED, Quora, Behance, Goodreads, Lastfm, Soundcloud, Rdio, Angelist, Hipmunk, Stackexchange, Readmill, Couchsurfing.
In Quebec, few sites offer the possibility of creating an account via a digital identity provider, but there are still a few:
(Feel free to suggest additions by commenting on this article):
That said, sites that are currently in the usability mockup stage will soon offer single sign-on or social sign-on features.
Indeed, as I pointed out last January in CEFRIO's NetTendances booklet:
“The US government has formulated its recommendations for the creation of a digital identity ecosystem that would involve the private sector on the one hand, and a regulatory body on the other.
Open Identity Exchange , the body in question, now has the role of certifying digital identity providers, for example Google or PayPal, as to their compliance with security, confidentiality and their operational procedures.
Soon, a citizen will be able to use the credentials they use on these systems to log on to government sites”
( E-Government: Challenges Ahead!)
The British government has decided to go in the same direction by also involving Open Identity Exchange
Do you think single sign-on and social authentication are essential to ensure the success of a web initiative in 2013?