[bobwaycott]

> We've spent a lot of time working on every aspect of login, so that startups don't have to.

Really? I find this claim to be suspect and very disingenuous. The reason FB spent a lot of time on login was so startups don't have to? It wasn't, say, so your users would be secure ... and then a later realization hit that you could subsume startups into the FB universe by letting them use it?

If FB wanted to solve the login problem so startups don't have to, why not offer a standalone, drop-in login solution that doesn't require devs to hook their apps into FB, to have dev accounts, to get user info from FB, to display the Facebook brand, etc. etc. etc.

> Your job is to build whatever technology differentiates you from your competitors, and make it worlds better than theirs.

Probably best to think that, just like Facebook, every startup's "job" is to take care of their users, protect their information, and deliver a quality experience. And each startup is the only one capable of determining the value of doing it themselves.

> Any time you spend pfutzing with password hashing, building a better password recovery flow, or arguing about how to fail when people type in the wrong password is time you could better spend making a truly wonderful product. Unless you're trying to build a startup that helps people login, any time spent on this is better spent elsewhere.

You really do like taking this just that much too far, don't you? I consider the way startups and applications handle authentication, signup, etc. to be an integral part of how I determine quality of the product. And even though I have a Facebook account, whenever someone makes me go through Facebook, it fucking destroys any semblance of a nice user workflow.

When a startup spends time helping me signup and login to their service, I notice. And when they don't, I typically hear in the back of my head, "Fuck it, just slap Facebook on it. Problem solved."

[mkjones]

Shoot - sorry if I came across as disingenuous! You're right that a lot of the reason we spend time on login is because we want our users' accounts to be secure - but a big advantage of our API is that we extend all that work to third parties. I think it is actually a pretty good drop-in login solution, but you obviously have to have some setup associated with it (the user needs to understand to whom they're disclosing their identity, etc). You don't need to ask for any permissions or query any data (though of course I think you can make things a lot more compelling if you do in a lot of cases).

Agreed that companies should determine how to deliver a great experience. In my opinion, a two-click login with something like FB is a much better experience than registering with another password and confirming your email address, and worrying about what the site's security is like (how do you evaluate this?). It sounds like we'll just have to agree to disagree here.