John Scalo
19 June 2014
The current average rating of Numerous on the Apple App Store is 4 stars, with 5-star reviews outnumbering all others by more than two to one:
We’re pretty proud of that so it stings a little when we see a 1-star review. There aren’t many, but there are a few, and virtually all of them look something like this:
Khåymaan (thanks for the review, Khåymaan!) is alluding to the fact that the Numerous app requires signing in with Twitter or Facebook (as of v1.1 we also allow signing in with via Google). We don’t allow users to supply an email address and a password to create their account and we never post to the user’s social network without their permission.
So given that a vocal minority of people detest being forced to sign in with a social networking account, that they bring our ratings down with 1-star reviews, and that we’ve probably lost out on a significant number of users, why shouldn’t we just add an email login? Give the people what they want, right?
At every turn we’ve thought about this and at every turn we’ve concluded that taking email addresses and passwords is the wrong way to go. Here’s why.
Risks
It seems that every week I hear another story about a major company leaking thousands of email addresses, credit card #s, and password hashes. This week it was Domino’s Pizza but in many cases these are major technology companies who I’d think would have a handle on protecting their customers’ data. But hackers are smart and even the best security engineers make mistakes. I’m confident that we could safely store email addresses and passwords (randomly salted and hashed, of course!) if we chose to, but doing so always comes with some amount of risk that we prefer to avoid.
“Social Login” Provides Control
This is often overlooked, but by logging in with a service such as Facebook, Twitter, or Google, you’ve retained complete control over what the app can do. Is the app harassing your friends or spamming your timeline? Bad app!! A visit to Facebook’s or Twitter’s application access dashboards allows you to dial back what the app can do or completely revoke its access to your account. On the other hand, if you give away your personal email address then the cat’s out of the bag. There’s no stopping a malicious developer from selling your email to hoards of Viagra spammers.
User Experience
Typing an email address and a password on a phone is unpleasant. Tapping a button is easy. We want to make the sign-up process as quick and simple as possible.
Forgotten Passwords
According to Microsoft’s “A Large-Scale Study of Web Password Habits”, about 4% of users will forget their passwords every three months. To accommodate forgotten passwords, we would need to implement temporary password creation & storage, password email exchange, and password change enforcement. That’s a huge chunk of work and each of those moving parts is another potential vector for attack by hackers.
Time & Resources
On a recent episode of the excellent Debug podcast, John Gruber shared that adding email/password sign-in to their app Vesper “put us back a month or maybe more.” The fact that it took an experienced three-person team a month to get the pieces in place is a testament to the immense complexity of doing email/password sign-in. In the same time period we could probably add 2 or 3 major features. Or, you know, ship.
A friend once pointed out the sad irony in the fact that the major providers of OAuth sign-in, Facebook and Twitter, also happen to be social networking companies. This is so true. If only there were a company capable of authenticating millions of user accounts that didn’t also run a social network. Oh wait…
CloudKit
At WWDC 2014, Apple announced CloudKit:
Leverage the full power of iCloud and build apps with the new CloudKit framework. Now you can easily and securely store and efficiently retrieve your app data like structured data in a database or assets right from iCloud. CloudKit also enables your users to anonymously sign in to your apps with their iCloud Apple IDs without sharing their personal information.
For us, that’s pretty much the Holy Grail. An account type that every user of our app is guaranteed to have, but doesn’t link to a social network, and is explicitly guaranteed to be anonymous. We fully expect to have iCloud anonymous sign-in in Numerous as soon as it’s available in iOS 8.
In the mean time, we’ve just added Google sign-in to Numerous v1.1 so anyone with a Gmail address can create a Numerous account. We think this is a great alternative for those not wanting to use Facebook or Twitter.