June 4, 2007
Dare Obasanjo's May 26th thoughts on the facebook platform contained a number of links to the Facebook API documentation. At the time, clicking through to any of the Facebook API links resulted in a login dialog:
It struck me as incredibly odd that I had to login just to look at API documentation. When presented with the login barrier, I did what 99% of all the people who encounter a login barrier do: I turned back. Dare seemed excited about the Facebook API, but I lost interest when confronted with this login screen.
Wouldn't you want information about your API disseminated as widely as possible, to as many people as possible? To be fair, Facebook has since rectified this problem. Clicking on the link now takes you directly to the Facebook API documentation with no login barrier. I'm not so sure the Facebook folks are "brilliant on several levels" if their API documentation was placed behind a login barrier, even if for only a few days.
I previously referenced Jan Miksovsky's enumeration of login steps as a type of user interface friction. But in reality, login barriers are far worse than friction-- they're a brick wall. Login barriers are a no-win situation for users. What's in it for them? And without sneaking behind the barrier, if only for a moment, how can the user possibly know if your site is worth the hassle of signing up? If you're the New York Times, maybe you can get away with forcing users to deal with the login barrier before getting to the meat of your website. But most of us will never have that much cheese.
Even if you can't avoid an eventual login, it is possible to make the user's login process nearly seamless. Too many sites take a ham-handed, completely traditional approach to logins. You can do much, much better than the abysmal login barrier status quo. Jan doesn't mince any words when he says Geni has the most inviting initial user experience he's ever seen:
Right off the bat, you're cleverly dropped into a family tree that's already partially started: there's a place for you, and obvious points to add your parents. No fanfare is needed to introduce the site or explain what it's for. The very nature of the task's UI makes it obvious that you're building a family tree.
It's not advertised to the user at this point that the email address they enter for themselves will become their user ID on the site. This is revealed the first time the user tries to return to the site. At that point -- the second visit -- the user is asked to sign in with their email address and a temporary password that was emailed separately to that address.
It's obvious that Jan has been thinking a lot about this topic; he has a followup post describing how Netvibes and Pageflakes ease visitors into sites with anonymous accounts:
You can use your anonymous account for as long as you want to, provided you use the same browser on the same machine to do so. Whenever you reach that point -- maybe even months after starting to use the service -- you can sign up for an account. The basis of your relationship with the site transfers from your anonymous browser cookie to a real account secured with a user ID and a password. (Both these sites use your email address as a user ID, to eliminate the signup hurdle of picking a user ID.)
The deep principle at work is that a site doesn't need to rush to secure a relationship with a visitor. Inevitable interest in getting more out of the site (in these cases, the desire to use your customized home page from another location) slowly pushes you, the casual anonymous visitor, to finally forge a permanent relationship with the site as an identified user. The site knows a relationship with you will develop in its own time.
If your application requires users to log in, don't underestimate the impact of the login barrier you're presenting to users. Consider utilizing anonymous, cookie-based accounts to give users a complete experience that more closely resembles the experience that named users get. By removing the login barrier and blurring the line between anonymous users and named users, you're likely to gain a lot more of the latter.
Posted by Jeff Atwood
I happen to be making a website. We just so happen to have a current login barrier once you try to get into the meat of the website. I think that will have to change after reading this post. I'll submit it to my boss.
I guess it all stems from the fact that users don’t have the time. The don’t have the time to watch your brilliant flash intro, read through amazing introduction, navigate through overly secure registration process and wait while your extravagant images load to their browsers. Most users are there by accident and have the attention span of a two year old.
So smart sites went from: “register to see”, “register for free” to “use existing demo account”. Nobody has the time to explore your site – you either put up or get closed (RC + D,L on my mouse gesture plugin :)).
I agree with you that registration barriers turn people away.
Recently, instead of forcing users to create an account specifically for my sites, I let them use their Facebook account through the Facebook API. It saves them time since they don't have to enter in any info and and you can also use their info such as a profile picture, to make your site more friendly. Then I also don't have to worry about security problems as well. And when the target audience is college students, most will already have a Facebook account.
When logins are in your face, there's always bugmenot.com !
Well, it would be wrong for Facebook to let you see a private note or message without confirming your login identity.
It is however silly to put a barrier on public "facebook-wide" documentation like the API docs or help pages.
I wonder if someday they will add a "public zone" so you can post notes that are accessible by URL without logging in. That would lead to some sort of dichotomy where your facebook account has a blog-like public facet a la myspace (but prettier).
The "New York Times" does not get away with the login barrier either. News is news and should be easily accessed or I will go to another site (which I do).
There even are sites which will hold your "personal" (still anonymous) data without having any account feature :
Favorites are hold on the server and the key to this is your session ID stored in your cookie...
Interesting site about distributed user identification (I have not read it already) :
You mean a little like blog that requires you install beta software just to read a blog entry because someone foolishly force a redirect to the install site if it isn't already installed?
I know of a feel INTRANET sites that require users to log on!
very nicely done. and it's cross platform :)
I'd love to see search engines delist any sites that require logins to see non-paid content.
What are they after except the hope of catching email addresses to sell to spammers?
I think reddit would be a good example of a site that's gone to efforts to eliminate the login barrier. First time you try to do something that requires a login, it pops up a box asking for a username and password. And that's it, after that you have an account, and you're logged in.
I responded to this on my blog
Although I am extremely turned off by many sites that require logins to see what appears to be ‘trivial’ information I would not use API documentation as a way to degrade them on how ‘brilliant’ they are. How about this concept? Why would I want some random guy looking at my API documentation when he has never used my service? In fact I wouldn’t even want you integrating with my application because you don’t even understand its uses and my audience.
I hate logins as much as the next guy when I want to ‘try’ a service, but looking at API documentation is not intent to ‘try’ a service. If you plan on integrating with a system why don’t you learn something about the platform first, and since Facebook is a rather robust social networking platform it would make sense ...
A while ago I was looking to buy a health supplement from a website that I cannot recall the name of.
In order to see the price of the item I was interested in the website required you to register ... I kid you not.
I was utterly amazed at this and emailed the webmaster of the site - basically saying that I thought this was ridiculous... their reply was that several thousand customers a week would disagree with me .... but then I wonder how much business they were losing to this particular form of login-barrier.
Whenever I see a login page to download a file, I search the file name on Google so I can get it from somewhere else. I got so used to it that I barely noticed how bad login requests really are.
Rafajafar, nice, I came back here just to mention the openid.net project.
Indeed, the Facebook executed the technical side of the platform launch very well, but the support side has a lot of *facepalm* moments.
If it's any consolation the documentation you get once you're in doesn't really clarify "Just what is the Facebook platform and FBML?" I was in on the beta and it took me like two weeks just to figure that out. Haha.
I wrote up what I know so far: http://20bits.com/2007/06/04/an-introduction-to-fbml/
Hopefully that helps someone.
I totally agree with you. Facebook has been successful, I feel, embecause/em of the requirement to create a profile to interact with any aspect of the site. Once you've got a profile, your friends find you and it's all over, you're officially hooked on Facebook.
A perfect example is http://www.fatdoor.com/ that was in the tech press this past week. They ask a lot of info up front and don't tell you how it will be used or displayed.
Amen. I can't even count how many websites I've gone, "hey, that looks neat!" *click* "oh." *close*.
Dang, and I was just going to send you an invite to Facebook...
I'm pretty sure ASP.NET's Membership Profile feature set supports this functionality of starting with an "Anonymous Profile" and later associating with a new user. I'd have to dig, since I haven't had a need for it lately, but I remember seeing it when poking around in the docs.
I already noticed this problem, so when I redesigned my website, I made sure that not only would people not be intimidated by the login block, I also made sure that my website was more inviting for people to converse.
I don't know if it is still the case, but a few years back, I was terribly frustrated by the fact that Oracle made me create a user profile just to search the online docs.
I think that so many sites are just doing what has been popular for years in the online world. I know that one of the main reasons that I started learning PHP way back when was to create a membership system. There are a fair amount of developers out there who have the user login for no better reason then the fact that the wrote one up and wanted to impliment it.
Personaly, the main reason that I ever used login systems was to try and thwart robots from posting stuff on my sites, now that CAPTCHA is easy to impliment, and something that many sites use, I think that we should abandon the standard user login just use the CAPTCHA, unless of course you have information that MUST be stored and linked to a specific person.
Fast forward to 2007. Now the PHP-overburdened pages take up to 45 seconds or a minute of thrashing and flailing and churning, churning, churning on the overloaded servers in order to process the login php script. Then you wait some more while the server thrashes and flails some more, paiting all that unnecessary eye-candy gradient-background shaded-button crap on the screen. Then you hit more login barriers on the new ebay. Almost every time you want to do something, you must login again...and again...and again... And each time, it's another minute to 45 seconds for the overloaded server to thrash and flail through its php scripts, access the mySQL database with your cookie info in it, compare it, and log you in.
Want to see a web page by people who do this? Who log you on FAST? Who NEVER use php to crap up the page with graphics junk and bog everything down?
Google home page. No gradients. No fancy buttons. No "latest news item" column updated by some f***ing slow-ass php script. And guess what? The google home page runs FAST.
I have timed the delay for php to paint all that shaded-button and gradient-background garbage on my screen for the Slashdot site, and I have compared it with the plain simple pageview of straight bare HTML and test-only in the Off By One browser. Running Mozilla Firefox 2.0.1, it takes more than a minute to paint all that shite on the screen and just give me the text of the slashdot site. 90% of that time is wasted serving graphics and flash and other junk from worthless infuriating ads, which must be splattered across the screen before the text content of the site even shows up.
it takes 18 seconds to paint the text-only HTML of slashdow on my screen in the Off By One browser with graphics turned off.
KEEP IT SIMPLE, STUPID!
(Incidentally, in case you think it's my computer, bzzt. Wrong! 2.4 Ghz P4 with 512 megs running Windows 200 Pro SP4. It's not my OS or my machine, it YOUR CRAP CODE, WEB PROGRAMMERS. KISS! KISS! KISS!)
Once upon a time there were no barriers, and the hackers owned everything. You can have an interface that is easy to use, or secure. Pick one.
While I am not defending the practice of forcing a login to view developer API's at least it helps the vendor learn a little about who their potential attackers are.
Email addresses have one thing going for them... They're guaranteed to be unique. I do agree that the site should inform you they are using it for your Login ID though. Still, it’s a good practice to keep a garbage email around to use just for registering with sites. Microsoft will kindly give you a free one and you can use it to help reduce your main email’s spam.
And while you may end up getting more hits by not requiring logins to access demo’s and whatnot, you are definitely getting lower quality hits. I have registered on sites for applications where the developer has taken the time to follow up and on at least two occasions the resulting communications have convinced me to buy their product.
In one site I helped develop, I threw out the idea that we only require an email address (with all appropriate "we won't email you, ever, or sell this to someone else" disclosures).
Using just that way of identifying yourself, you get a large portion of functionality. But if you wanted the power to do more (some financial stuff) you had to go through the full rigmarole to setup. At that point the user was pretty comfortable with us and didn't mind. Plus, when dealing with anything money related, a user normally WANTS to lock it down as much as possible.
If your site really doesn't contain confidential info, then why make users give you some of their "secret" information?
Just make an account with a free email address, login, get your stuff and never return
when you receive too much spam, get another one
a lot of people do this, forcing registering gives a lot of 'ghost' accounts.
mclaren: Though you seem like a troll, I'll bite... if it's taking you a minute to load slashdot there's something wrong on your end. It always loads in just a couple of seconds no matter where I use it from (which, I must admit, is many places and often...)
I too find login screens frustrating. I'm tired of having to create a login and go through the both of registering, and having yet another login ot remember, just to poke around on a site, or read an article. Quite often unless I really need the info, its click...oh, well never mind then, and off to another site.
I forget what site it is, but whenever I'm searching for help on technical issues there is one site that often comes up at the top of search results. Something with Tech in the name, and it requires you to login before you can see the tip or discussion post you are looking for. Argh. So usually I don't even click on their links in search results anymore. For me its not the giving them my email that bothers me, I have a junk account for that..its the time it takes.
Well, I once was involved in a website where everything was private, so the standard method to starting a page was to automatically check for authentication. The only two pages where this didn't happen was the login page and the registration page. It's possible that they used the same system considering the guy I worked with on said project also got a job with Facebook later on, so he might have continued that practise there...
http://.openid.net = the end of login barriers. Learn it, live it, love it.
Companies are really digging it too. Could be used for websites, IM services, even gaming.
These sites are only applying an old paradigm to a new brand of site.
On-line stores thrive on anonymous use. Stores like Amazon, for many years, have allowed users to stock a shopping cart without logging in. The shopping cart is tied to the browser, so if you go back two days later, all the items selected remain in the cart, all without logging in.
The interesting thing is how poorly things were being designed in the first place. Why would a site like Netvibes need much information from me? Geni is static enough where they could almost store a passkey like the old Metroid passwords on my computer and not keep a single thing on their own servers. Online stores need things like addresses and credit card numbers to operate properly, but for years they've been set up to not require the user to provide that information until late in the process.
The idea that online stores figured this out before most of the rest of the Internet is strange.
The biggest reason I haven't signed up to facebook is that you can't actually look at the site until you've signed up. Rubbish.
The website (http://developer.facebook.com/) does not require any login anymore.
And to the parent above, Ben: One of the reason why Facebook is so popular is it's fine-grained control of PRIVATE social networks.
Nobody can see what you don't want them to see.
Comcast, OTOH, keeps redirecting to itself forever if you have cookies blocked. It's so hostile it's Comcastic.
Too often there's a disconnect between the site visitor (who's looking for an anonymous one-night stand) and the site owner (who wants the guy to come up with an engagement ring first). There's the crude saying "I wouldn't ___ her with someone else's ____"... but if you would, that's basically what BugMeNot is.
"I'm not so sure the Facebook folks are "brilliant on several levels" if their API documentation was placed behind a login barrier, even if for only a few days."
Heaven forbid they have a small error that they corrected quickly. HEAVEN FORBID.
On a related subject you know what else I find bafflingly stupid? Required fields in optional questionnaires. They all over the place. Pretty much every questionnaire I have ever filled in (And I'm a generous fella' and will fill in quite a few) has them.
I can understand the desire to gather as much information and connect it all together, but as soon as I see an optional questionnaire REQUIRING my postcode or sometimes even email (depending on how much I trust the source) I'm gone.
Surely they can make use of the information I am willing to give? There loss I suppose.
Another great example of this is when an online site forces you to sign up just so you can see what the shipping costs would be, or even worse the price. Oh, I'll "sign up" alright... hello Mr. Fljadfljsdfljad of 1234 Main St. Anytown, USA 20001 nice to see you.
I think that facebook/myspace/etc. are sticky enough that they are used to the login requirement driving membership, not turning people away.
Probably. I suspect that Facebook's devs may not have a lot of experience producing things for developer consumption.. For their sake, I hope they quickly figure out the developer mindset.
By the way, this obnoxious requirement of obtaining an API key is 1 of my biggest pet peeves when I try to make mashups.
I agree with you 99%, however some sites by their very nature must require a login barrier (or at least I seem to think so).
Take my newest site for example: www.radiocurrents.com
This site provides music and other downloads for radio stations provided by record labels. The level of security that we have been asked to have by the record labels prevents us from allowing any content to be really shown without not only forcing them to register but to verify that they are who they say they are.
I think its a very special case, but wanted to point out that the case does seem to exist, though as you said, the barrier is usually there more times than it is truly needed.
I find having to log in is not the only barrier, though it is a major one. To pimp my blog a little, I wrote a post on how annoying it is both as a user and a developer to have to create a social network for every site (http://icr.vox.com/library/post/a-global-social-network.html).
I like the sound of Netvibes and Pageflakes, it obviously makes things a lot easier. Though I would probably find myself a little irked when I, having used it and not signed up, went to another machine and wanted my customized content.
I'm liking the current trend to use email as the persons ID. Primarily because it means people are more lacks about what characters they allow in display names, so I can have my square brackets :P
Jeff made a great point. What's the benefit to the user? If you are making them login, just so you can track how many people are accessing your stuff, then you just created a barrier. If that login gives them access to lookup stuff that's related to just them, that's a reason to have a login.
But let's not forget an ancillary benefit for having a login is protection against identity theft. For example, if Jeff's responses to posts weren't orange, anyone could post a response with the name "Jeff Atwood".
Even in that case, just because you want to offer the ability for people to create accounts, you shouldn't restrict your site functionality to just people who have accounts. ImageShack.us does a great job of that, you can upload a picture to be hosted with or without an account. But if you have an account, you can go back and manage and control the pictures you have uploaded.
Hey, who moved my cheese!?!?!
A login barrier is a tactical element in a site; Facebook uses theirs to create a sense of privacy and exclusivity.
Their growth rate shows that this is working just fine.
Logins are not and never will be an issue, my point of view- Shoot all the smart arse half baked web developers who think that 5000 lines of script is what it takes to display a button in a web page. Its not rocket science, to many people write their little blogs have a whinge, the reality is that over fifteen years the line speeds have gotten quicker and quicker and loading of web pages has gotten slower and slower. Want to complain about typing half a dozen text characters in a box ? wow you really are at the bleeding edge.
I think that the login barriers are a valid hurdle to leap. Every person that complains that they have to log in every time is also the person that has regular cookies turned off, scripting turned off, and wants their cart to still be there three days later.
Seriously, with AutoFill for registration pages and login remembering, the browser reduces most of my registration pages to a 1 click event and the login pages to a Submit click. The browser is doing the heavy lifting, no permanent cookieing needed.
I completely agree on this. I believe this is not only for the documentation, the users should be able to even try/use your application without a login. This is what we have done on JotForm. I posted what I think about this subject here:
This is exactly why we need openid (http://en.wikipedia.org/wiki/Openid). I wish I could login everywhere by typing my gmail address, and then letting google handle the authentication. Fortunately, that seems to be the direction we're heading in.
Jon Raynor makes a good point on the Facebook API... The CRM vendor we use restricts people who can access the API documentation to paid partners and customers. If you are paying your software maintenance fee then you're not going to be able to access the documentation. But still, if I don't know what I am missing, am I really missing anything?
Chubber: The Login Barrier is not about a website requiring you to log in at all. It is obvious that preference persistance over a longer period of time or across different browsers or machines will require a login. The point here is that many sites require you to login (and, before that, register) before you can use the site at all. That is, you must sign up before you know if you want to sign up.
OpenID looks neat. I would love to see it implemented on a large scale.
Isn't OpenID just a sprawling Carnivore-like creature in the hands of who-knows-whom?
Funny, I did the same thing as you.
"Login!?! Spffff, whatev's, later."
And I left the page. Havent gone back since. Capturing an audience is like ecommerce. You have to make it easy to get in, easy to buy in, easy in general.
Check out www.doodle.ch - proof that a login isn't necessarily required, even in circumstances where you might expect one.
Sun does something similar to a lot of the content on their sites. To get patches, documentation, applications, and their troubleshooting information you have to sign up.
However, since they no longer charge for their software they want all their users (who tend to be enterprises) to have a support contract with them. Some of those can be affordable for a user (~$300 per annum) when I was considering signing up.
It's a change that I don't completely agree with but I understand why they have done it. Though its' annoying that I have 3 different sun ids that are tied to my previous employer's email addresses and I have forgotten the passwords.
Generally I think that for technical info its' okay to have a signup process as long as it is very short and easy. Just ask for an email address and password. If the person wants maybe more access such as access to the source then maybe the name, address, and other info. However this only applies to non OSS projects.
What really gets annoying is trying to remember your login name and password for multiple sites!
I try to use the same name/password combination for all of the sites I feel the need to login to but sometimes it just is not possible.
So, what's a developer to do? Well, the STUPID thing like everyone else that is not autistic and can't remember dozens of login names and passwords. I write them down somewhere (Oh network gods of security shudder!) I simply have no other choice; I have to do this to be able to access the site later.
So, remember, if your site does not absolutely positively gotta hava hava gotta login then DON'T DO IT. Or I might just blow your site off for ALL of the above reasons.
Stores like Amazon, for many years, have allowed users to stock a shopping cart without logging in.
This may be nice in some cases, but the total inability to obviously log in to Amazon drives me crazy. If I want to add an item to my cart for later purchase on any normal site, I log in, click "Add to cart", and log out again. On Amazon I have to carry out a poke-and-hope navigation exercise to get me to something that'll actually allow me to log in, in order to make my choice persistent. Logging out again doesn't seem to be possible at all short of shutting down the browser and restarting it. This is taking the principle of "don't force people to log in" a bit too far.
I think the friendliest signup system I've seen is that used by KGS (a href=http://www.gokgs.com/http://www.gokgs.com//a)">http://www.gokgs.com//a)">http://www.gokgs.com/http://www.gokgs.com//a) . You give them a login name, then click guest to login without registering. If you decide you wish to register (which enables the site to track your statistics, maintain a log of game records, and other such user-specific features, you can. However, registration takes place AFTER you are already on their site; you register the name you just used to login as guest.
pretty similar to choosing game difficulty before even playing game;) in that that you don't know what are you going into. whether this registration is worth.
MySQL is one of the worst sites as they want you to register to download and make it unessecarily difficult to find the free version.
in any economy, the capitalist maximizes profits. How are these restrictions any different? Hits and views are the modern day currency, registered users are like diamonds. If a website has a banner, most likely they're trying to make money. Login data is gold to potential advertisers. Not logging in to see an API is an indication that you're not serious. So many tools to save passwords, browsers, cookies, if you weren't even a registered user in the first place that barrier was a brilliant idea. When a website is first launched, I think its important to move these restrictions, but as it becomes established, they can't be bothered with the dissidents who only now want to see their stuff. the choice is yours. Coincidentally, comments are a great trap. That burning desire to be overly opinionated often leads me to register for some blog that ill never remember my username or password to. This is one of the websites i'd have registered to comment on, its great that i dont have to, though... am i logged in??
Facebook is back to prompting you for login when you click the doc link in the article. Apparently there's a force acting in opposition.
Microsofts live.com offering has been doing this since at least the beta stage when you start personalizing your page. it issues a cookie and remembers you until you register/sign in via passport. After that connection between cookie and account auto signs you in. And to be fair and balanced in the reporting the new iGoogle also seems to have this as well.
I am sure that some smarty pants out there will point out that some other obscure site has been doing this even longer.
You also assume that Hotmail uses PHP, when with it being a microsoft product, is more likely to be using .NET.
Now I understand how a PHP/mySQL site can be slow, but your preaching to the choir here. Its an intrepretated scripting language, if you want speed, work in .NET or JSP.
I will say that reading your ignorance laden rant brightened my morning though. I hope your not a professional web developer.
Depends on the site. Sometimes you want the brick wall (Banking, Financial). Sometimes people pay for the priviledge, for example New York Times.
For the API documentaion, maybe you have to be a Facebook partner to view the documentation (just guessing here).
If ther isd a login, there should be a good reason (business or otherwise) why it is in place.
Anyway, if your making a public site, some content/actions should be viewable without logging in to allow casual users to experience the website. If they want more, have them create an account. All they need is an ID and password so they can login at a later date.
You could just use there email as there ID, but if your storing the email in a cookie, then all you would have to do is replace the email address with the person's email to impersonate them, so maybe challenge response is better.
Yes, this does make sense!
I came across this same thing a few weeks back when we accidently put Twiddla live. In the morning, we required a simple username+password+email(optional) to try the thing out, and were getting plenty of people trying it out. In the afternoon, I pushed a new build that didn't require an account to demo the app. There was an immediate 4X spike in traffic into the application itself.
Certainly sold me. Graphs and a writeup of that experience can be found here: