> Your users expect "Sign in with Google" and "Sign in with Apple." You can add email/password and passkeys, but removing social logins entirely is a conversion killer.
I know this is true, but I genuinely don't understand it. I want email/password and passkey, I will always go out of my way to avoid "Sign in with ...". I just don't get why people love this.
You really don't? It's just a ton easier for most users: it's (almost) like already having an account. Just click a couple times and you're in, no typing at all, no email confirmation or anything like that.
I also avoid it because I'm concerned about being over-reliant on google (what if they close my account?) and I know how to use a password manager, but I easily understand how 90-99% of the population doesn't care enough and goes the low-friction route.
Not to mention that B2B SaaS needs to provide the login methods that their customers need for their operations, and these typically rely on Google, Microsoft, Okta, etc.
I work on auth for a European startup and this is the case.
> I also avoid it because I'm concerned about being over-reliant on google (what if they close my account?)
Most if the "sign-in with google" accounts I have seen treat it as a shortcut to creating and logging in with an account with the primary email address of the Google account. So you can hit "reset password" and get a conventional password log-in to an account you previously made with the Google auth. If you get locked out of google, it's NBD.
Of course, this is probably not universally the case.
Does Google even let you create an account without Gmail anymore?
Yes. There is a "Use your existing email address" button in the create account dialog.
That users choose to link their account to Google when they can does not surprise me.
What surprises me is that if they cannot do it, they will just leave. The post says it is a "conversion killer".
It's not so much that they'll leave, as much as some percentage will abandon during the signup flow. I know somewhere out there are statistics on those who have to click a link in an email only to get distracted by other emails, to say nothing of the time to fill out forms, create a password, save to password manager, open your 2FA app for the more advanced users, etc.
The higher the friction, the lower the probability of conversion. E.g. Amazon famously found every 100ms of latency costs them 1% in sales.
At its most simplified, this can be thought of as a simple function of time — the more time something requires, the higher chance something else happens during that time, invalidating the original task.
The best sign-in flow is none at all — that's what e.g. Discord does. They let you use the app immediately, with an automatically created provisional account. Amazing user experience.
This applies universally — convenience is everything.
Passkey signup could be almost as easy. Type email address, click register, invoke WebAuthn flow (which is no more complex than social registration), done. Maybe you need email address validation for some reason, in which case it’s a wee bit more complex. Ideally there would never even be an option to make a password unless passkeys are unavailable.
> Ideally there would never even be an option to make a password unless passkeys are unavailable.
I like passkeys, but ideally it should always be an option to make a password, too.
Sure, and there’s a UI for rejecting passkey enrollment. I’m just saying that there’s no need for anywhere near as many clicks to enroll a passkey as are often needed.
I assume your circle is mostly tech people? Outside that bubble, it's pretty obvious. People just want easy, don't understand security in many cases, it's the simplest path.
Even absent the above. Imagine a signup flow. I can either click <Sign Up With Google> or I can go through a manual flow with input fields. The former is much faster than the latter. It surprises you people choose the path of least resistance?
It does not surprise me that people choose the path of least resistance. I find it sad that they happily connect everything to Google/Apple.
What surprises me is that it is a "conversion killer". So if you ask people to create an account, it's sooooo very hard for them that they will just leave. And spend the next 30 minutes scrolling TikTok, I guess?
How many services do you have subscribed to? from simple PHPBB boards to very much official product and online shops? How do you manage all those username/password? The single point of failure of relying on Google/Apple is real, but so is the manual and laborious process to auth via email/password and the managment that goes with it.
I have 400 entries in my password manager. I manage them with my password manager. There is no single point of failure.
Isn't your password manager a single point of failure?
How do you mean that?
Each password is a PGP-encrypted file, encrypted to security keys. The files are backed up in different places, including my laptop and my phone. The password manager app runs offline, so it has no reason to suddenly fail, but even if it did, my passwords are just encrypted with PGP, so I will never be "locked out".
I find it very unlikely that it would get compromised: again it's encrypted to security keys. If my device is compromised, the attacker can extract the passwords that I decrypt while the attacker has control, but not the whole database.
To lose my passwords, I would need to simultaneously lose all the copies (on my devices, and on the cloud). To lose access to my passwords, I would need to simultaneously lose all security keys.
Doesn't feel like a single point of failure. Or do I misunderstand what you mean by that?
[dead]
It definitely surprised me just how lazy humans are on average. The amount of effort people are willing to exert on sign ups, etc... The drop off with each additional field blew my mind.
Probably suggests that the service is less valuable to them than TikTok.
You'd be surprised. I've worked on a municipal/local-area webapp that launched with auth and a create-account form. Userbase in the low 100ks, a few interactions a year. It was an ordinary create-account form: name, address, email/phone, no payment info or government ID. The only alternative to this service--and I do mean only--was to go into a city office and wait in line/fill out forms. Failure to do either resulted in a fine (I forget how much; in USD it would have been less than $50 I'm pretty sure).
Before we added SSO, huge numbers of users would enter but never complete the signup flow. We assumed they were making the (baffling) choice to take time to go to an office and wait inline over filling out a web form. A year later, we added Google and Facebook login. Failures to finish signup dropped to almost zero (a lot of folks were still bailing out of the manual create-account form without finishing, but they were then falling back to Google/Facebook).
More surprising, that year the net number of signups (across web and brick and mortar) more than tripled.
People weren't choosing in-person over a filling out the create-account form. They were choosing to pay a fine instead of filling out the create-account form.
So ... I don't know about "less valuable than TikTok", but a lot of folks' decisionmaking sure is wild.
This is a wild story! Thanks for sharing.
People usually have either one or the other account already, because it came with their smartphone. It is friction less from their point of view.
Sure, but what the post says is not that they will go for the easier path. It says that if they don't get to link their account go Google/Apple, they will completely give up (it is a "conversion killer").
Well.. it's the flip side of those social logins being known and proven conversion boosters. If you actively decide against them, you are losing a low effort tool to boost your CR.
HN is going to skew towards people with password managers & concerns about vendors locking you out. I think most people just want low friction - be that 'Sign in with', or passwordless-based authentication like 404media (you want to sign in? You've been emailed a code)
> passwordless-based authentication like 404media (you want to sign in? You've been emailed a code)
How is this low friction to manually copy/paste a code from email as opposed to allow a password manager to log me in automatically?! This kind of authentication is the stupid current trend I hate the most TBH.
> > HN is going to skew towards people with password managers
Towards people with password managers, or towards people who want to have the freedom to choose how they log in? I also hate those damn login emails.
But everyone has a password manager now. They come builtin to all major browsers, Apple ecosystem, etc. My non-technical girlfriend uses one.
Yeah, and I support anything that makes security by default easier. I'd love to see adoption numbers for in-browser password managers, though, because I feel it's not very high yet.
> I'd love to see adoption numbers for in-browser password managers, though, because I feel it's not very high yet.
Why specifically in-browser?
Because without that the argument of "everyone has a password manager" fails. Tons of people don't have 1Password or Bitwarden or Lastpass or KeypassXC or whatever.
So sure, they might technically have a password manager installed, in that every major browser has a password manager included. But do they actually use it? That's what really matters.
Yeah, this is why. "in-browser" was unclear when I also meant the iOS ecosystem password manager and stuff.
I'm not sure non-technical people have a good understanding of or experience with password less email login either. While doing tech support I've seen people get very confused at the need to open another app to login in or the fact that they're now logged in in the webview of their email app and not logged in in the app or browser they had been using (especially if the first thing that web view does is pop up a giant "try the app" modal)
I can't stand the 'use the app' nag modals!
Thanks for your insight. Outside of being a consumer, and as a security engineer one who appreciates things like passwordless, my experience comes from my employers passwordless rollout. The sentiment is broadly positive, but we would veer to a technical user base, and sentiment misses the nuance you brought up.
Something I didn't see in the other comments is users who are using the startup's service for work, as an employee.
Why wouldn't you choose the simplicity of "sign in with Google" if your work email is on Google Workspace, using the entire Google suite of business tools for everything (gmail, chat, meet, docs, drive, auth, etc) any everything you do at work is known to Google anyway?
Making an email/password account with your work Gmail is just extra steps, one more password to store, and perhaps the inconvenience of one more 2FA thing. Google gets the same information either way.
Similarly why wouldn't you choose the "sign in Microsoft" if your work is all in on the Microsoft suite of business tools (teams, office, onedrive, auth, etc.) and everything you do at work is known to Microsoft anyway?
> I just don't get why people love this.
For a single personal user it's only a small bit of friction but if you're in charge of 30 people SSO is a godsend for boring compliance work and managing groups of people. You want to change a domain in the company not a big deal. Don't have to rotate passwords every quarter, need to restrict an employee from a service etc. You aren't imagining other challenges other than your own here.
That is an interesting take, but it's off topic.
The post says that if you don't have the SSO, it's a conversion killer. I.e. users just won't log in if they cannot do it with an SSO.
Of course companies use SSO because it gives them more control over the employees accounts. I understand why company do it.
My email goes to the same company I can login with so might as well tap the button.
But if there is no Google/Apple button, will you just leave? Like not even create an account? That's what "conversion killer" means.
I may start to create an account, but after about 30 seconds of effort, I'll start asking myself if it's really a service I care about. Send me an email? If it's not there by the time I click my email tab, odds are pretty good I won't wait around unless it's a truly compelling offering. Want me to fill out a form? If it's anything more than just an email and a password field my password manager can complete for, again, I'll question whether I want you to have that info about me.
So no, I may not leave, but each tiny bit of friction increases the possibility of abandonment. From the perspective of conversion, abandonment is the same as "just leaving".
I won't but a decent % of people do ye.
In fact a decent % of people stops shopping on your site if there's a few ms lag.
At every step a few percent of revenue is lost your competitor takes in.
> In fact a decent % of people stops shopping on your site if there's a few ms lag.
While it's still true, I have read that the accepted lag today is higher than 10-15 years ago, because they have lower expectations due to a general decline in page load speed. (React pages with spinners/placeholders, newsletter popups, higher page weights etc.)
It's a few things (source: I've worked on some large online B2B systems and seen signup flow funnel data for some even larger B2C systems):
1. Ease/laziness as others have mentioned. Even for a service that answers a real need, many users will bail out of the signup flow and just ... leave that need unsatisfied when they see a web form.
2. Underreported: google/apple sign-in buttons make it feel like you already have an account. The fact that the "grant access" new-signup request is a second screen and that "sign up" and "sign in" (with Google/Apple/Github/Facebook/etc.) are the same buttons to enter the funnel is huge. It's not that users are confused/forgetting whether they already have accounts (though some are); rather, it's psychological momentum created by the ambiguous language.
3. Trust and consistency. Nontechnical users just trust the recognizable brand buttons more. They don't necessarily know why/know how auth works, but they know that a lot of data breaches happen and are scared. The fact that the embed button almost always looks the same/familiar is massive. I suspect that it would also be a conversion killer if the "sign in with apple/google" buttons were styled to look totally different and not contain logos.
4. A lot of semi-technical folks don't like remembering passwords (and password managers--even good device-integrated ones--aren't as reliable at autofilling as a lot of casual users would like). Others know that it's a bad idea to reuse passwords. As a result, people use the button that doesn't require them to pick a password they'd have to remember.
5. Impression of privacy. Some (especially older) nontechnical users have a significant aversion to typing in their personal info (name/address/CC number) into online forms, so they pick the option that doesn't require that.
6. Technical people who prefer SSO because it gives (on the SSO provider side) a list of every integrated account; better permissions control (for services that integrate with e.g. Google for more than just login); a marginal chance of a little less data being stored on a service's servers versus the regular make-an-account option; somewhat fewer opportunities for a service to screw up auth by building it themselves wrong. This demographic is small compared to less technical users.
That's all presented without comment. Some of those points are based on exploitative provider behavior, or user ignorance. I'm just explaining the decisionmaking factors, not defending them.
Add all those up, and you definitely get a conversion killer.
In my experience its been the users who principally only have a mobile phone - i.e. no desktop - and therefore want the benefit of the phone-managed account system tied to .. biometrics, etc...
> I just don't get why people love this.
For the same reason why companies implement SSO for employees? It's just easier to have one account with one password to rule them all.
Companies implement SSO to have control over the accounts of their employees... Pretty sure they would still do it if it was more complicated.
And that is also why companies don't allow employees to use anything other than the SSO.
Well, it gives you easier control of your accounts too. Just one entry point for everything, no need to track password leaks from dozens of services (you still need to keep an eye on whether Google has leaked your password, but in that event everyone will know and be working hard to fix it).
From the point of view of technical people it would be easier to achieve the same with password managers, but for the rest of us Google provides a smoother user experience.
“Sign in with Apple” allows me to use a random “Hide My Email” address for services that I can’t bother with so it’s absolutely a godsend for me.
> I just don't get why people love this.
I wonder if there will ever come a day where the average HN user actually understands how normal people use technology.
Just observe anyone in your social circle that does not "care" about technology and you'll see their reaction to a login prompt when trying, not rarely under time pressure, to access a service they haven't used for a while.
They will sigh, maybe roll their eyes. And who can blame them? The same goes for registering to a new service. Normal people don't use password managers, they don't have Bitwarden with auto-fill, nor do they ever "generate" passwords.
"Sign in with..." offers them a way out of a frustrating experience, it's the device telling them "Hey, would you just like to use this thing you're already logged into instead?" -- yes, obviously they would like that.
> I wonder if there will ever come a day where the average HN user actually understands how normal people use technology.
Well, I wouldn't say I don't understand it. If someone uses their smartphone as a hammer, regularly break it and regularly buy a new smartphone, I understand what they are doing. I just don't understand why they are doing it, I guess?
In this case, the post says that it's a conversion killer. So people are so damn lazy that if they can't click on "share the information with Google", they will just leave.
Both available choices "share the information with Google" for most people. The majority of email account creations use a Gmail or Google Workspace address, so Google gets the information either way, and in Europe most use Android so can't sign in with Apple.
Again that's off topic. I'm not talking about the fact that people choose the Google SSO instead of username/password.
I'm talking about the fact that people choose to not use the service if there is no SSO.
Because they don't want to have those experiences where they sigh, roll their eyes, then try and remember a password they made months ago just so they can continue using this thing they signed up for. So they just skip the service altogether.
Heard of haveibeenpwned? You'll end up there, eventually.
If you end up, for some reason, being one of those unlucky individuals whose Google account gets banned and all your other accounts are behind Google login, then you truly have been owned.
You mean when using "sign in with" and then using a shitty password for your social media account?
If you use e-mail and password with a good password manager, that runs locally on your device and generate good random passwords, it is unlikely you will end up on haveibeenpwned, and even if one website does shit, the blast radius is only one account on one website.
You'll still have your e-mail address exposed, which you may not want if it is to some random porn site. Moreover, password managers do not work if you use multiple devices for log in, which most people actually do.
I use my password manager across multiple devices daily.
Apparently it has not been working without me noticing it?
I assume they're thinking about the 'offline' style where one would shuffle a database file and probably resolve conflicts. There's an app/extensions nowadays, man!
I don't even bother with a VPN, just occasionally push a 'sync' button on the roaming devices [when they return to LAN]. DB transactions [new credentials] averages ~0 per month... but there's plenty of capacity. Works extremely well.
The truth is that even with KeePassXC, I just really do not notice stale passwords across devices. It's just really not a huge deal for me personally. Maybe it is for normal people. I sync my databases maybe once a year if I'm lucky.
Right, that's what I was trying to emphasize. Rare syncs are totally fine here, too. I try to keep a routine but tend to slip. If not 'with my usual device' there's a tiny number of accounts I even need. They rarely change so the 'cache' is usually suitable. If not, the restriction is always short-lived.
Same here. I use pass, and I just don't create/update passwords that often. And synchronising is very easy (it's a git repo).
... And how do you access the passwords that password manager manages?
With the "password manager" program? I have one on my desktop and one on my smartphone.
How do you expect to access the passwords that the password manager manages?
... Can everyone in the world ready our passwords or are they "protected" somehow?
I am not sure, whether you are trying to get at something specific, but will interpret the question in good faith:
A classical password manager reads an encrypted database. In theory, you could upload your password database (usually just one file) anywhere, and wouldn't need to worry, assuming, that you chose a sufficiently long password for decryption, and assuming, that the encryption does not have weaknesses, which would allow an attacker to decrypt it without the password. In practice, of course you still wouldn't upload your password file to a public place, to reduce risks in the future. But anyway, the idea is, that only you know the master password for the encrypted database and so no one else can read your passwords.
I am confused. You say:
> Moreover, password managers do not work if you use multiple devices for log in
I use a password manager with multiple devices, and it works. And yes, my passwords are "protected", that's the job of the password manager.
If you decide to visit such awful sites then the least you could do is not use primary email for this.
I don't think it makes sense to even have a "primary email". I've completely separated work, shopping, banking, gaming etc mailboxes.
Also how do password managers not work? Bitwarden syncs instantly across devices just fine.
If you sign in with Google, the site knows your gmail address.
Email aliasing is a thing
Risk Bob's Salad Shack leaking an inconsequential, unique, credential or bind everything to the whims and identity of a single organization; hmm.
Ending up on HaveIBeenPwned is only a problem if you reuse passwords.
Nope. It is a problem if you reuse email addresses.
Are you saying that you reuse the same password everywhere, but a different email address every time, and you feel confident that having your password leaked won't have repercussions?
I am genuinely confused. Sounds like holding a gun from the wrong end and feeling protected by it.
Password manager.
Before inevitable "what if your password manager is hacked...," what if your google account is hacked / banned?
You don't even need a password manager, browsers autogenerate secure passwords for you, and they sync between computers/mobile devices.
(I'm saying this from the perspective of "regular people don't want to be inconvenienced like that, obviously you should use an external password manager for security)
Agreed. Just wanted to add:
> Before inevitable "what if your password manager is hacked
My passwords are encrypted with a security key. I think it is more likely for my computer to get compromised than for my password manager to leak the passwords.
Admittedly, if I lose all the security keys at the same time, I lose all of my passwords.
Sign-on with the external identity provider doesn't help if data related to your account like the billing information, your government ID info etc. are released in the breach, that's the sore point.
- Complains about age verification because it is "not private"
- Uses Google SSO to sign in everywhere
People will know that my password was y!2TvM8h3dpvw4 for one particular website at some point. What do I lose here? Google/Apple incurs much greater risk that is entirely out of your control.