13
53 Comments

Users want to use social logins

I dragged my feet on adding social logins to gomobo.app for a long time. I felt it was more effort to implement than the benefit of adding it would be. I thought to myself, Improving the product will be a better ROI.

What ultimately kicked my butt into action was that I playtested my new game with a friend and they told me that they would never create an account unless social login was supported.

Implementing was easier than expected

I use AWS Cognito for gomobo.app because I use AWS for everything else and it has a generous free tier.

I've found their documentation to be lacking and frustratingly confusing at times. But once I was able to find the right documentation to follow, it because a lot easier.

High-level steps:
Step 1: Register/set-up with social providers (e.g. FB, Google, Apple)
Step 2: Configure integration with your user management system (for Cognito User Pools, this meant mapping fields, entering redirect urls, etc)
Step 3: Build the UI for your app (Cognito had a pre-generated "Hosted UI" but it looked too janky and would've added an extra click for my users, I did look at the source code to help me build my own custom UI though)

In all it only took me 6 hours to complete adding "Sign in with Google" for my app.

Results of the change

Ever since I deployed the new sign-in/registration option, two-thirds (67%) of my new registered users have chosen to register with their Google account.

Registration is now a better experience because I don't need to force new users to confirm their email to complete their account (you'd be surprised how many fake emails I get trying to register). It also reduces the complexity on my end as well, as I directly manage less parts of the authentication process.

Adding Google auth was the top priority because ~90% of my users use gmail already. I will likely add FB and Apple in the near future as well.

  1. 3

    So much so that all B2B apps shouldn't have even username/password and nearly all B2C shouldn't.

    The one caveat I have is you probably don't want to use Cognito long term for your solution though: Problems with cognito.

    1. 3

      Hi wparad, we run small app where local people buy and sell their used items, we tried google login, first of all whenever we send them messages, they don't even open lol, and some even said I can't give you my email and password (they think when they login with Google, we know their password) so we implemented phone number auth, can you believe? We now use WhatsApp marketing, for ex, seller got message from buyer, we notify the seller through WhatsApp. Wow it has improved our retention rate a lot. an average user open Whatsapp 43 times a day. Maybe the Google auth didn't worked for us mainly because our users are from Somalia, Africa. They check WhatsApp and sms lol so yeah this one has worked a lot. It helped us build personal connection with our both sellers and buyers

      1. 1

        It happens, but only in africa and parts of south east Asia. Everywhere else knows that SMS auth is more insecure than passwords.

    2. 1

      I have the exact same sentiment about AWS Cognito. I had to make a last minute change to switch off Cognito when developing https://radar.ac for the reasons you listed + the frustrations with AWS Amplify (AWS' firebase) -- Now we use Ory for auth

      1. 1

        Ory is at least slightly better. But we've actually found a lot of our customers told us they've migrated off open source solutions, not because they are open source, but because they can't afford to run and maintain them.

        1. 1

          Running OSS is definitely an issue, we're running Ory Cloud (got free 6 months as a startup)

    3. 1

      Thanks for sharing. Some of those limitations I have already had to painfully workaround myself. A lot are one I haven’t thought about. Good to know, thanks!

      1. 1

        And even more I haven't added yet. It's actually one of the reasons we heavily invested in expanding our outhz product to support those things that cognito could not do.

  2. 2

    Interesting data - thanks for sharing. Did the new option actually increase numbers of sign-ups, or was it just the popular (67%) option for more or less the same sign-up completion rate as before?

    1. 2

      Don’t have great data on this and I’ve been starting to market more (posting on reddit). But sign-ups/day is higher after making the change. Wish I had better conversion metrics though

      1. 1

        It's tricky to disentangle the various causes and effects, for sure! I'm trying to figure out where I can get best leverage in the next few months (acquisition, conversion, retention).

    2. 1

      I was thinking the same. Based on OP's response below, it's hard to say if the social login was worth the extra effort and privacy implications... Also, having been burnt by Facebook's API before, I am very wary of not fully owning my user's login process.

  3. 1

    we use this for 2 of our projects, it’s been working very well

    deftpdf.com
    deftship.com

  4. 1

    Hey Justin, great insight, thanks!

    Did you find that the ordering mattered? i.e having the social logins above the email/password option vs the other way round?

    I commonly see the inverse pattern where the social buttons are offered as a second option, but your way round seems to make more sense as in theory it helps drive people down the social path.

    Would love to hear your thoughts, cheers

    1. 1

      Honestly haven't play around with order. I think the order should be dependent on each specific app.

      For my app (digital games), my users often just want to get in a try a game. I had many users give feedback that my onboarding was too clunky (using email requires verification step, which AWS Cognito won't let me disable). Putting social first was a logical step for the use cases and preferences I got.

      Either way, I think if you (as the developer) have a preference on wanting more social logins vs email, then I would recommend having social first. In the end I think order won't make a huge impact.

  5. 1

    We went so far as to only have social sign ups (but we do need Facebook and Google Access to make our application work).

    Now we have an interesting opposite effect where actually I need to add email and password capabilities as we think it might improve our sign-up flow too!

  6. 1

    Do you think so for b2b saas business?

  7. 1

    Very interesting. If you had to rank the most beneficial to implement Google has to be number 1 but what other socials would be on the list? FB?

  8. 1

    I am working for a b2b product. Do you think is it good idea to add social media login?

  9. 1

    Absolutely game changer for me doing this! I've managed to literally double my sign ups cause of this.

  10. 1

    I am working on a SaaS and have been contemplating this.

    I appreciate you dropping this insight...

    You have solved a problem for me with this post

    1. 1

      Hi, glad to know that you are working on a SAAS.

      I can write detailed reviews of your product on medium for free. (https://medium.com/@software_guy)

      Feel free to connect when you are done working on it.

  11. 1

    Are all your users B2C and using private accounts? Or do you also offer B2B?
    I am trying to figure out if offering social logins (Google) would help with our B2B-only tool or if social logins are a B2C-only preference.

    1. 1

      For my product it is entirely B2C.

      For what its worth, as a user, I use Google and Github login for a lot of websites/tools that I use for my projects and for freelancing. But I also don't mind creating a private account, so probably wouldn't ever be a dealbreaker for me on B2B products.

      1. 1

        Interesting. I am very privacy-focussed and create a new, email-based account for each service that I use. I'll research more. Thanks for the insight!

  12. 1

    I wonder if the issue people had with social logins was caused by Facebook. Years ago Facebook use to dominate the social login space. Then Facebook started getting more and more unpopular and maybe that created confusion whether people disliked social logins in general or just disliked being forced to login with Facebook when that was the only option. Just my two cents.

    Thanks for sharing, this was useful data!

    1. 1

      Yeah I think you’re right. As a user I don’t like using FB login, but I find myself using Google and Apple login for a lot of apps.

  13. 1

    Totally agree with you!
    I'm currently building a web app and I have chosen Firebase Auth explicitly for this reason because it makes it much easier to integrate social logins!

  14. 1

    Great post, I have been thinking of adding social logins to our app too. I use Django and there is a great plugin for adding social auth logins. However, outlook still seems to be a pain to add .. does anyone have any experience with adding Outlook social auth to Django?

    Thanks for posting the stats anyway, that is very interesting that such a high percentage now opt for the gmail login!

    1. 1

      You probably want to take a look at corporate SSO providers that enable automating 99% of this. Enabling outlook login is something that a choice few do actually provide.

  15. 1

    ok let me share contrarian opinion. What if google/fb etc. decides that your app violated some of their policy and decides to kick you out? now you will lose all your customers logging through that account worse if you have not collected their emails/contact info you don't have anyway to contact them either. So you lose them permanently do you really want to introduce this risk for your business?

    My suggestion is to always have one way to contact your customer and than use social login as convenience to the customer don't rely solely on it.

    1. 1

      Never ever heard about anyone using social logins without saving the email (unless its just to verify they are not a bot and you dont save any data connected to a user).

    2. 1

      Fair point! Although with Google auth, I have their name and email in my system, so I would just need to build out a migration flow for those users if that did happen. Of course would can me to lose some, but I think the upside is worth the risk, as long as I am within their terms of use.

  16. 1

    Lately, I have found myself bouncing off of services which do not offer at least one kind of Social Login.

    As @craftworkgames pointed out, it's just easier to just click a button and be done with it! I am logged in to my Google/Github account in the device anyway.

    I find that having to muster up new passwords quickly gets frustrating. Chrome password vault and Password managers have helped me a lot, but having to rotate the passwords once in a while is also something I can never seem to get around to doing!

    From an engineering perspective, implementing a Social is so much easier than having to build all the bells-and-whistles (crypto, hashes, rotation, keys ...) around passwords and usernames and having to constantly worry about leaks!

    1. 3

      Password rotation is a bit overrated. If you're already using long strong passwords and storing them in a password manager (assuming it hasn't been compromised) then it's pretty safe to assume you don't need to change your passwords regularly.

      Most of the old advice about passwords is just plain wrong. Telling people to have a specific combination of letters and numbers really just tells the hackers what kinds of passwords to expect. Asking people to change their password regularly is even worse, because people tend towards easier ones over time and if they're not using a password manager you can bet your bottom dollar they wrote it down on a post it note or somewhere.

      The most common type of hack is simply that people reused the same password on multiple sites. One of those sites gets compromised (or even worse, they are the hackers) and they get into your other accounts.

      So really, there's only a handful of solutions that actually work. Password managers, social logins (if you trust the 3rd party) and 2-factor authentication.

      1. 2

        @craftworkgames Agree with you a 100%. Your point about password rotation makes sense.

        The thing is that I have a hard time expecting users to be tech-savvy enough to have a password manager installed in their system. Hell, it comes free with most browsers these days and I have still seen people ignore them.

        To be honest, I would rather implement an OAuth2 rather than store sensitive data in my database.

        I keep the perspective that passwords in the database is a data-breach waiting to happen.

        With OAuth, even if there's a breach, PKCE et. al. protects against long term exposure.

        Without passwords, at least I am giving one less reason for an attack.

        1. 1

          Yes, absolutely. Password management is still not ideal or widely adopted.

          I think the future is probably some kind of passwordless system where humans don't actually type passwords most of the time. There's already attempts at this like fingerprint and facial recognition on your phone and even crypto wallets as a browser plugin are a form of automatic authentication.

          In an ideal world, the perfect UI design would be when the computer already knows exactly what you want and gives it to you without any interaction at all.

          But there's still a huge gap between the ideal world and the current reality. I'm sure there's opportunity in this space for indie hackers. It's a tough problem though, not for the feint of heart.

          1. 1

            Well, OAuth2 and WebAuthN (FIDO) have taken the first steps towards that utopia - but without wide adoption, we have a long way to go!

      2. 1

        exactly.
        to me, websites force me to change password every couple months are just crazy

  17. 1

    I largely agree with this.

    For most websites that offer social login I will use it because it's just easier to click a button than it is to fill out a form and create another password.

    That said, I do think it depends on the app you're building. Some apps work better with social logins than others and at the end of the day if your app is providing enough value it won't be a deal breaker either way.

    1. 2

      Totally agree that it depends with the use case. I think the more consumer focused a product is, the more crucial it is for there to be a social login.

      Heavy B2B apps definitely don’t need it. Prev company I worked for was Enterprise SaaS which needed to build out SSO integration (LDAP, etc) which is a different headache haha

      1. 1

        B2B apps actually are more important, because it is almost universally the same mechanis that corporate SSO uses. LDAP is a rare contender in that space. That's actually one of the problems with Cognito, it doesn't support corporate SSO well.

        1. 2

          I totally agree that SSO is super important for heavy (read:enterprise) B2B, I think I just categorize SSO functionality separate from social login. But I’m sure many of the same concepts apply!

          1. 1

            Since almost every company today has some sort of employee management and security requirements, there really is no reason every B2B shouldn't provide SSO out of the box given how many solutions are out there that help make this happen and how critical it is to security.

            It's actually so ridiculously necessary, that you end up on https://sso.tax if you do it wrong.

      2. 0

        I think about this stuff quite a bit. I've worked at a B2B company that argued and eventually refused to add social to their apps.

        However, I don't necessarily agree with the premise that they definitely don't need it. After all, businesses are just collections of humans and they interact with the apps the same way at work that they do at home.

        That said, most people don't use their Google or Facebook accounts at work. There's probably room for a competitor in that space. I'd say LinkedIn is trying to tackle this but it's a huge market.

  18. 1

    I definitely think social login options are important for sites. For one, it can make the sign-up process much easier and less intimidating for new users. Additionally, it can help build trust with potential new users, as they can see that other people they know are also using the site.

  19. 1

    I can only agree with this. I see the same thing happening. In my last 20 sign-ups, 16 have used social sign-up.

    I think it's because it's just so easy to get started. They don't have to enter any information.

    A thing you can do, though, is to add some benefits to those who use social sign-up, of course, only if you want to entice this.

    1. 1

      Make sure you're providing value to those who use social sign-up. If they're not getting anything out of it, they won't keep using it.

    2. 1

      Great idea, Phillip!

      Do you have other sign up options besides Google? If so, curious if any others are worth adding in your opinion (in terms of ease of set-up and usage)

      1. 1

        Yes, I do. I also have Microsoft sign-up. It's used, but not as much as Google.

  20. 1

    Thank you for sharing your experience. Noting this.

    1. 1

      Glad it was helpful!

  21. 0

    You can also use Azure Active Directory B2C or OAuth

Trending on Indie Hackers
50 investors said no to us !😥So, now we are building our startup in public💪 20 comments The data proves you don't need a co-founder 16 comments Google add-on for SEO 14 comments My product is not first-need, should I keep working on it? 7 comments Why modern software is so slow 6 comments Indie Hackers' Hall of Fame 6 comments