I don't know about you, but I keep hearing stories about passwords, authentication and identity management in the real world. Of course, I read about and execute authentication strategies in my role as a developer. Hearing the morning drive-time radio hosts discuss these issue is a whole different ball game.
As I was parking at the South Florida Code Camp yesterday, the radio hosts were discussing a recent break-in and dissemination of Gawker user information, including usernames and passwords. Evidently someone did some data mining to determine the most commonly used passwords. Surprise, 'password' was #2, and '123456' is the most common password.
Despite the risk of identity theft, users hate the traditional username/password authentication routine. As soon as we start this dance with users they begin to quickly accumulate a collection of usernames and passwords they need to remember. This problem is known as ID Fatigue.
In my opinion banks are the worst offenders. They all have unique requirements that force you to have a username you have never used before. Then an oddly-shaped password that doesn't follow a normal password routine. While I don't have the same password on all systems, I created a password algorithm that I understand to make some cryptic passwords.
This all adds up to friction that beats up your potential customer. I don't care if you are doing e-commerce, newsletter signup or a line of business application. Several studies reveal end users will create new accounts rather than authenticating with a username and password they cannot remember. I can confirmed this by examining the user account records in sites I have managed. Even worse they bounce, they simply leave your site, may not purchase your product, or may not purchase anything at all.
If you have ever managed an e-commerce site you can see the number of abandoned carts. This is where users start the purchase process and simply do not complete the transaction. In fact the number of abandoned carts compared to the number of completed orders is radically high, maybe 10-20:1. That is terrible.
How Do You Increase Conversions with Authentication?
A few years back I heard about OpenId on a Hanselminutes. So I started to investigate what it was and how I could implement it. In fact I decided to submit a session to the Richmond Code Camp that year to force my learning. We had a great discussion about it that day.
I also explained it to my mother because I found she is a good single-person focus group to see how non-techies view something. She was confused. Mostly because she had no idea who any of the OpenId providers were, and why should she give them her personal information. Translated, she had no trust or confidence in these sites.
Since then social networking sites; Facebook, Twitter and various others, have grown up and earned vast amounts of trust from millions of folks all over the world. They have also offered their services to perform user authentication for you. Some, like Google, implement OpenId, others like Facebook do their own variation. But users trust them and will let you bounce from your site to their trusted provider to login to your site.
As I was preparing for my Azure ACS talk this week, a market study was released on how users view Social Sign-in and what it means to businesses by Blue Research for Janrain. First it tells us that as much as 75% of our visitors will leave our sites when the registration/authentication process begins. This is also known as Registration Drop Off.
Think about this for a minute, what does that mean to the productivity and success of your application? It means lost revenues and lost efficiency. In the words of Yogi Berra, 'That's real money'.
Next the report shows users willing to use Social Sign-in are far more likely to actually buy or convert for you. If you think about this they have more trust in the Internet eco-system. The others have trust issues, or may not have a social site profile, etc. They effectively do not fully live an Internet life and would prefer driving to the store.
Finally the study shows that 66% think sites should offer Social Sign-in. I think this is huge and a great opportunity for developers and architects to seize an opportunity to make our sites more successful.
So How To Implement Social Sign-In?
Rather than repeating what has already been written I am going to point you to some resources to help out. I do plan on filling in some gaps on integrating the various techniques in your sites and native mobile applications.
To work within the current Social Sign-In mechanisms you must become familiar with OpenId, OpenAuth (oAuth), Simple Web Tokens (SWT) and claims based identity. If you are working in the .NET stack, I also recommend using the Windows Identity Foundation. It provides a great library to help process claims based identity.
Integrating Twitter Sign-in
Integrating Facebook Sign-in
Facebook .NET SDK (I was told there are some good samples for authentication)
Integrating Windows Live Authentication in your application (Not Sure How Current It Is)
Integrating Azure ACS
If you want to abstract away all the techniques to implement each of these providers, the Azure Access Control Service (ACS) is a Federation Provider you should consider. In this case Microsoft offers a single service interface, ACS, you need to implement. They will maintain all the plumbing to interact with the other providers and Active Directory. As the providers update their services, Microsoft will update their interface so you don't have to. This is a huge gain in productivity because now you only have to maintain one interface, which hopefully does not change too often.
Identity & Access Control in the Cloud (PDC10) Vittorio Bertocci
Introducing new Features to Azure ACS Justin Smith
Access Control In the Cloud ' Michele Leroux Bustamante
WCF and Access Control ' Michele Leroux Bustamante
ASP.NET and the Access Control Service ' Michele Leroux Bustamante
Azure ACS Codeplex resources ' Disclaimer: I found some of the documentation and examples to be a little confusing. I plan on offering updates to clear this up in the next few weeks.
The traditional username/password authentication routine is still the predominate mechanism, but the natives are getting restless and asking for a different solution. Social Sign-in is a fresh way to authenticate users. These users are also more profitable, so you should start offering social sign-in as a way to increase user satisfaction and your bottom line.