Thinking about social logins and identity on the web
Context
Yesterday was my first day as a Moodle employee. From this point onwards, I’m spending four days every week leading Project MoodleNet. This is described by Martin Dougiamas, founder and CEO as”a new open social media platform for educators, focused on professional development and open content.” As ever, I’ll be using this blog for my personal thoughts and musings, while there’s another blog for more official updates about the project.
Why I’m thinking about this
The following will be offered as core functionality through Project MoodleNet:
- Identity and reputation
- Messaging
- News feed
- Access to openly-licensed resources
- Crowdfunding
The above is listed in the order in which I’d like to tackle them. As you can see, I’ve put identity and reputation first. That’s because I believe projects should begin by attempting the most challenging things, and also because I don’t want us to have to retro-fit something so fundamental after developing everything else.
The growth of social sign-in on the web
These days, it’s become normal for users to be offered a ‘social’ way to sign into almost every service on the web. Some sites, such as Airbnb, go so far as to offer those who use social sign-in for their site additional privileges compared to those who use the traditional username / password combination.
As outlined on this Wikipedia page, for those running web services there are many benefits to allowing users to sign-in using a social network account. These include targeting content, reducing the use of fake email addresses, and increasing the speed of the sign-up process.
For users, the main benefits are:
- Not having to remember multiple usernames and passwords
- Increasing the speed of sign-up and login to their accounts
- Quick and easy sharing of content to social networks
Although it is straightforward to find data on the percentage of users choosing to use various social network accounts to login to web services, it can be difficult to ascertain their wider practices around security. For example, how many people use browser-based password managers? Does that change by demographic? What about password managers not based on the browser, such as the ones built into the iOS and Android mobile operating systems, cloud-based services such as LastPass and Dashlane, and deterministic password generators (such as the one I use)?
Do people actually use social sign-in?
A few years ago, social sharing buttons appeared all over the web. Website visitors were encouraged to click on the relevant button to share the content they were accessing with their network. It turns out that, despite the proliferation of buttons, most people actually don’t use them, instead doing it their own way.
We know that social sign-in is different. People do use it. In fact, some reports put the number at over 90% of users preferring social sign-in to the traditional username / password combination. The most popular of these by far is Facebook, followed by Google, Yahoo, Twitter, and LinkedIn.
The situation is similar to using contactless card payments in shops versus using cash. Using contactless every transaction you make can be tracked by your bank, just as every social login you make can be tracked by a social network. There are benefits and drawbacks to both options.
When I choose to use social sign-in
Personally, I don’t use Facebook and have written about the pernicious effect I believe it to have on society. As a consequence, I don’t (and can’t) use Facebook for social sign-in. There are some web services, though, where I do choose to sign in using a third-party account. While I wouldn’t base decisions about Project MoodleNet on my own habits, given the picture is quite complicated, it might be worth explaining the occasions when I sign-in via Google, Twitter, and LinkedIn:
- When I have no other choice — I find Nuzzel an extremely useful tool for surfacing news from my networks. If I didn’t sign in using Twitter and LinkedIn, then I wouldn’t be able to access the service (and even if I did, it would have no value)
- When my data is being shared anyway — unless you completely remove Google services from your Android device, it’s almost impossible not to share your contacts with them. As a result, I sign into Full Contact using my Google account.
- When I want to buy something — I sign into The Guardian app on my Android device using my Google account as I bought a subscription through the Google Play store.
I also sign-in to my Moodle account using Google. Why? Because Moodle staff use Google Apps and it’s a professional, rather than personal, account.
The Moodle context
I asked David Mudrák if he’d be kind enough to generate a report on social sign-ins for moodle.org. He gave me data from 15th May 2017, which was the date that the ability to use OAuth2 to sign-in using a social account was added with Moodle 3.3. Since then, there have been five times more logins via Google than via Facebook. Those users creating new accounts since May show a preference towards the traditional username / password combination, with two-thirds of users choosing this option. Signing-in via social and traditional methods are not mutually exclusive, of course, and users can register using one option and subsequently switch to an alternative.
Project MoodleNet is separate from, but very closely connected to, moodle.org. As a result, it would complicate matters to have a separate login for Project MoodleNet, and provide little benefit to users. Instead, we should be aiming to bolster the value of having a Moodle account, which would no longer be used just for activity on moodle.org, but more widely across the Moodle ecosystem.
Learning from WordPress
Ideally, as someone who advocates for increased online privacy and security, I’d prefer it if most users signed into their Moodle account directly using a username and password combination. However, given that not using social sign-in could cause security issues for users who may otherwise re-use passwords across services, I suggest Project MoodleNet adopts the approach taken by WordPress.
Moodle and WordPress are similar projects in many ways. Both are open source and adhere to the GPL, allowing anyone to host their own version of the software without restriction or constraint. Just as anyone can use Moodle without having an account on moodle.org, so those using WordPress to power their blog or website don’t have to sign up for a wordpress.com account.
Where I think Moodle can learn from WordPress is in the powerful and intuitive way that individual sites can be linked to wordpress.com accounts to access the value-added services provided by JetPack. Enabling this allows users to sign-in to their blog or website using their wordpress.com account or with their username / password combination.
This is handy for users, who are given a choice. If they click on the ‘Log in with WordPress.com’ option, they then have further options in terms of authentication. They can enter their WordPress.com credentials (username / password), authenticate using their Google account, or be emailed a single-use login link.
This approach strikes a balance between choice and convenience, while highlighting the benefit of having a WordPress account and identity.
One way of thinking about Project MoodleNet is as JetPack for Moodle. It will provide different functionality, but the idea is the same.
Summary
So, to recap:
- Most users on the web seem to prefer social sign-in options. Those with an account moodle.org tend to prefer username / password, but this might be skewed towards more technical users. More research and testing is necessary.
- Social sign-in means user data is shared with third parties and potentially allows users to be tracked across the web. Therefore, social logins should not be the only option to sign-in to Project MoodleNet.
- Project MoodleNet should bolster Moodle’s existing login system in a similar way to JetPack providing extra value for WordPress users.
Additional reading
This subject can be a fascinating rabbithole. While I didn’t link to the following articles in the above, they have informed my thinking:
- Simple Social Login for Users and Attackers (Infosecurity magazine)
- The Perpetual, Invisible Window Into Your Gmail Inbox (Waxy)
- Microsoft tells users to stop using strong passwords everywhere (The Guardian)
- Social Login Buttons Aren’t Worth It (MailChimp blog)
- Ad targeters are pulling data from your browser’s password manager (The Verge)
Photo by WOCinTech Chat used under a Creative Commons Attribution license
Hi Doug,
HNY. The moodle gig sounds great.
As always an interesting take. I’d not though about the tracking issue.
The parallel with WordPress is interesting too, you might like https://indieauth.com I have the plugin for Indiauth on my WP blog so can log in to my site with twitter.
Thanks John – Happy New Year to you, too!
IndieAuth looks like a great option. You have to have a domain of your own and be technically adept enough to configure links with a specific tag to various social networks. That’s no problem for people like you and me, who see the value of doing this over and above using other methods of authentication. We’d have to provide other methods for people a bit less tech-savvy…