Thursday, July 16, 2009

Use Twitter, Facebook, OAuth or OpenID for login?

by Blake Schwendiman on April 22, 2009

Now that OAuth is officially available for accessing the Twitter API, it’s technically possible to use Twitter’s services as an authentication method for logging into your web site. In fact, when setting up a new Twitter OAuth application, there’s an option suggesting that very use.


This is not a new concept, but with the recent proliferation of high-profile services such as Twitter OAuth and Facebook Connect, I think it’s time to discuss the pros and cons of using a third-party authentication system for your web site.


One of the most obvious advantages of using any third-party authentication system including OpenID is that you don’t have to develop the complex systems necessary to validate user registrations, avoid duplicate or spam registrations or manage all of the registration messaging and support. That’s a big deal. If your registration system is too complex because you are trying to ensure that only legitimate users can register, you will undoubtedly lose some potential users who simply find the system too hard to use. Tying into established accounts reduces the barriers to entry for your site.

Another consideration for using a third-party authentication system is the additional features of the third-party service. If you intend to update the user’s Facebook or Twitter status, you’ll eventually need to authorize your user with that service. You may be able to address two needs at one time.

Finally, there is a soft benefit to using a third-party authentication system and that is the added trust. It’s likely that if you use a trusted system or service, your own web site will be implicitly trusted more.


Using a third-party system does not remove the necessity to keep some user information in a local database or provide some session and cookie management functions. Your web site will probably require additional user information that is not provided by any of the third-party services. Depending on how much of that information is required, using a third-party service may simply add another step to the registration process — increasing the barriers to entry.

Many third-party applications are still evolving. Twitter’s OAuth has only been available for about a month. Facebook Connect is less than a year old and has changed quite drastically (for the better) since its release. OpenID is much more mature as a development tool, but adoption in the user world is still relatively low.


Some things to think about — things that may be pros or cons depending on how your site works with the third-party services.

An advantage of using a third-party for authentication is the fact that there are many to choose from (Twitter, Facebook Connect, OpenID, etc.) so many of your users will already have established accounts with the other sites. But what do you do if your potential user is not connected with any of the third-party sites you use? Consider your audience before committing to a third-party-only authentication solution. If your audience is the bleeding edge web community or if your service is an add-on to the third-party service, you’re golden. Otherwise you may alienate potential users who don’t have and don’t want to be a part of the Twitter-Facebook-etc crowd.

What happens to your users if they decide to leave the third-party site or are banned from using it in the future? People do stop using Facebook, Twitter and other services. People close their GMail accounts (Google provides third-party authentication) and occasionally people are banned from other sites for violations of terms. If your site is not directly related to the third-party site (for example a Twitter search site would be directly related to Twitter), you probably want to make sure that your users can login on your site whether they have an active account anywhere else.

What to do?

I suggest that most sites still need to have a local user login system of some sort. This is to ensure that your users remain your users. Users will not understand or care to know why they can no longer access your site after canceling their Facebook account, they’ll just know that you’ve excluded them and they’ll be upset. No amount of technical mumbo-jumbo will convince them otherwise.

I do encourage the use of third-party authentication systems to add value to your site. There are several reasons to do this:

  • Providing additional value-added connections to the third-party services such as updating profile information or status
  • Providing social graph information such as which friends of the current user also use your site
  • Gathering additional authentication information for your site


Build a simple login system for your site. Limit the amount of information you gather to the absolute minimum you need to provide basic login/account services. This should include a user identifier, password and some method for recovering a lost password. Consider this your first tier of authentication. First-tier users get read access to all of your site and some level of personalization based on their account information.

Next, if your site allows publishing of any information, add a second level of authentication. Since your first-tier users didn’t do anything to prove they aren’t bad robots, they don’t get to publish. This is where you can get creative. Second-tier authentication may be via email (not my preference) or via a third-party authentication system. Choose a third-party that you trust, then have your users authenticate themselves with that third-party and record the authorization information in your user database. Consider the user a second-tier user at that point and enable additional options and services on your site.

The advantages of this tiered approach are many.

  • You maintain a local database of users
  • You can provide as many tiers of trust as you need with different authentication methods as seem appropriate
  • You can provide alternate authentication methods for each tier so your users have many options to authenticate
  • If any one of the third-party authentication services disappears or revokes access to a user or group of users, you can provide an alternate method
  • You reduce the barriers to entry to your web site
  • Your users only encounter authentication barriers as they seek to increase their interaction with your site

Perhaps at some point in the future, OpenID and OAuth or some new thing will be truly ubiquitous and provide all of the features required for completely hands-off authentication services, but right now I don’t think we’re there. Until then, consider a tiered authentication system that provides the best options for you, your site and your users.


Post a Comment