In all seriousness though, this is a good thing. FB login has become so prevalent, that not having it hurts more than it helps. At the same time, they used to change APIs so often, that keeping it working was a royal pain.
Although it's much easier to implement these days, especially with services like http://hull.io, it's yet another part of one's site/app to worry about.
It's a bit of an improvement. On the other hand, if that one account is hacked, it gives access to everything else as well. Moreover, you can even get a list of applications/sites tied to that account. Which makes it arguably even less secure.
If we want people to be safer, we should learn them how to use a password manager to generate a unique password for every site.
And since access to passwords requires two things (the password to the password manager and the password database), it's arguably more secure, even with a weak password.
Arguably, if you root someone's box you could install a modified TLS stack that would allow for a MITM attack to capture the 2FA login flow. (But this would be obviously a little more difficult)
Why do you think users want to own their identities?
Users, when you ask them, want a service that handles the backup and synchronization of their identity between all their devices. Users don't want losing the device their keys are on to mean losing their identity. Users want to be able to join a new device to their identity by just entering their username and password on it. Users want to be able to enter those credentials on random public computers to be able to temporarily use their identity on those computers, then log out when done. And users don't care about the security implication of any of this.
Currently, given this set of use-cases, "identity providers" like Facebook and Google work perfectly for users. Password managers don't.
I didn't say that any existing technology would meet this need, but there ought to be a way for users to have convenience and privacy. There are ways of syncing data without revealing it to the data host (Firefox sync, Tarsnap, BT Sync, possibly AeroFS).
It's up to those of us who actually care about such things to give users what they want in a way that gives us what we want.
> Still, I imagine the grand plan is to make Yahoo “cool enough” that people will actually want to use a Yahoo ID consistently. We’ll see how that one goes.
For what? as a consumer,what service Yahoo does offer that would make me want to get a yahoo id?
As a developper ,Yahoo has a few interesting services but that's it. Yahoo's shopping spree is over but it did not make it more relevant.
Yahoo runs many services that have traffic that most start-ups here would die for. Number one finance site,number one news site, huge fantasy sports, Flickr, Delicious, significant search traffic. People on HN tend to dismiss them but we are indeed talking one of the most trafficked websites on Earth. I would say there is more value having a Yahoo ID than most other sites due to how much they offer.
A brief bit of googling shows Yahoo mail has similar numbers of users as Hotmail and Gmail, somewhere between 200-400 millionish, hard numbers aren't often announced.
Oh right, I guess meant "not trendy". I know it's pretty widely-used, but it unfortunately and unfairly tends to elicit the same response as when someone tells you they use AOL for their internet.
Under Marissa Mayer's watch, Yahoo has been investing tremendous effort in refining the UX on their web/mobile properties like Yahoo Weather [1], Flickr [2], and Yahoo Sports [3].
Seems like they're giving people a reason to use their products, and then making a play to have an OAuth-level relationship with the users. Maybe they want visibility into how a user authorizes third-party apps (FB gets an awful lot of insight from FB connect!) or maybe they just want to solidify their user lock-in.
Either way, I can't imagine they justified the engineering work for massive redesign on seemingly not-profitable properties like Weather/Flickr without having a solid long-term plan for how to capitalize on that.
Under Marissa Mayer's watch, Yahoo has been investing tremendous effort in refining the UX on their web/mobile properties like Yahoo Weather [1], Flickr [2], and Yahoo Sports [3].
Actually, the recent changes made me quit Flickr. It's now an ugly mixture of new and old (especially if you use the organiser, etc.) and when you are logged in (which is likely when you use Flickr) you get an unremovable, ugly, purple Yahoo bar.
I was a paying user since 2009. Now Smugmug gets my (and my wife's) money.
The Flickr redesign has been the worst UI change I've ever seen on the web. I've been on Flickr since 2007 and really enjoyed its interface - much like reddit (pre- custom subreddit styles) it was clean and fast. Now it's ugly, confusing and very sluggish.
This is the main reason why I have my Yahoo ID. I've been involved in many fantasy leagues on many platforms and Yahoo's has consistently been the best one year-in, year-out.
Who in their right mind would use their FB login on other websites anyway.
I personally tend to avoid it like the plague.
Every time you use it you grant another website access to your Facebook profile data.
I don't think i want to share that.
Now i know there's some security there but honestly I don't thrust it Facebook is leaky enough as it is I would rather not push my luck by giving permissions to unnecessary things.
My flickr account is created with Google login. I wonder whether they'll force me into singing up for Flickr cause it's the service with most storage for photos out there (albeit the lack of desktop sync).
I can't remember my Yahoo login, I may have had one a decade ago. I don't really buy their excuse that removing social login helps in any way. As a developer, with social login, I have a username to link everything to just as much as normal server login. You can still have user records in your DB keyed on that, a settings page on your site that stores settings against that user, whatever you need. So how does removing social login improve personalization? I don't think it does. Just sounds like an excuse.
Why is it a horrible idea? I worked on the Site Integrity team at Facebook and I can assure you that protecting people's accounts from attackers is a fundamentally hard problem that very few companies are actually equipped to handle.
That's pretty uncalled for. If you met a Facebook developer in person would you talk to them like that?
Facebook provides a service people find genuinely useful, or they probably wouldn't keep using it.
Their business motives don't seem much different from other large businesses, and their impact on consumer interests seem minimal (e.g. compare them to Target's accidental pregnancy revelations – which is worse?)
The are pushing society in new and interesting directions on privacy, but I don't think that is necessarily a bad thing, nor is it their fault (e.g. the invention of personal cars changed society a lot, positively and negatively, but no-one blames car companies.)
On the substantive point, when you see the number of credential leaks and account hijackings out there, maybe telling most developers "You're too busy and inexperienced to handle this well; we have many well paid experts working on this" is a good thing.
Because it adds a single point of failure, and erodes privacy by irrevocably linking accounts. There have also been security fails with many single sign in systems (including at Facebook...).
I would say you have a very bubble-ized perspective of who actually uses Yahoo. You'd be amazed at the non-tech people that aggregate on their services.
I'm not talking (just) about security. It's about convenience. It's annoying to go through million variations of registrations instead of approving the site with one click.
Unless I really, really, really want to use a service, I only use it if I can login with gmail or facebook.
I don't have time for your shit registration form or strange password requirements. I'm always logged into gmail and facebook, so those are always one-click accounts for me.
I understand wanting to become the identity provider, but the ship has sailed here.
Do you do your web browsing always logged into gmail and facebook? No criticism intended.
I use Chrome for accessing gmail, facebook, twitter, and linkedin - always logged in. For everything else I use Firefox with strong privacy settings. No overhead for me to do this, and this seems like a reasonable middle-road for privacy.
Yup, I do. I maintain pretty strict control of my physical security of the laptop. If anyone gets access to my physical goods, I have much bigger problems.
I have never been able to sigh into Flickr with anything other than by Facebook ID. All attempts by me/Yahoo to create an Yahoo ID that wasn't locked in some self defeating loop failed.
I've never been a fan of Yahoo or for that matter Hotmail; they force an ID on you which is then hijacked by their email servers to spam all your contacts...again...and again.
Why can't Yahoo just die gracefully ? Why do they have to inflict their death throes on Flickr Users ?
In all seriousness though, this is a good thing. FB login has become so prevalent, that not having it hurts more than it helps. At the same time, they used to change APIs so often, that keeping it working was a royal pain.
Although it's much easier to implement these days, especially with services like http://hull.io, it's yet another part of one's site/app to worry about.
Good for Yahoo!