This is just one of the reasons you shouldn't build your business on someone else's platform - others include the possibility that they'll charge you for the service later, cut you out of a relationship with your own customers, shut you down for their own reasons, require you to use their services like a store to the exclusion of all others, copy your idea and crush you by giving it away for free, squeeze your margins until your business is no longer viable, or simply make your business impossible because of indifference to your requirements.
That the service may be unreliable and it's one more point of failure is just one of the reasons why it's a bad idea to depend on FB (or Twitter, or G+ login) for your logins, and this is why their attempt to subsume the web with corporate corrals will ultimately fail.
I agree with you in principle, however you are ignoring the business value the external auth provides. Specifically there is a large subset of potential users who can not be bothered to sign up for your site via email, but will login with Facebook.
If you want to take advantage of this market then there are ways to use Login with Facebook without being wholly dependent. Basically if you have full account management, but you allow third-party authentication that ties into that account, especially allowing multiple OAuth providers to be linked to a single of your internal accounts (eg. see how Stack Overflow works), you can significantly mitigate the downside.
The purist and old-school web head and open standards guy in me hates it, but you can't argue with the business case for it.
>there is a large subset of potential users who can not be bothered to sign up for your site via email
There is a simple solution to this. STOP ASKING USERS TO SIGN UP! Do your REALLY need to collect the users e-mail? Do REALLY need them to have an account at all? If you do, then when they register don't ask for their e-mail address if it isn't necessary, or at least make the e-mail address an optional field. Hacker News never asked for my e-mail, because there is no need for them to have it. I probably wouldn't have made an account if it did require an e-mail address.
Sure, it's a trade-off, we probably just disagree about the level of risk involved and the benefits gained.
As you say with FB login there are ways to mitigate that risk, but to take one example - if FB charge for the service in future at 0.01c per use, many of your users will still want to login with FB because it's easier for them, and you'll be stuck with the bill. This happened with sites using google maps in 2012 when they started charging - each of these decisions has to be weighed up individually as a risk, but I think login is too important to delegate to another site and a significant addition of complexity and risk.
It's not one level of risk-reward, you need to take a look at your specific case to make the call. Formulating a blanket opinion about this outside of a specific context is not wise.
That said, your example doesn't demonstrate much risk at all. What are the incentives for FB to start charging for this? It just doesn't make any sense for them to give up that data and that control to try to squeeze existing site operators out of a buck. I mean, never say never, but the risk is much less than it was with Google Maps where you always had to be asking what Google was getting out of this expensive and difficult-to-build-your-own service.
Facebook deleted my personal account and disabled all my fb API keys for releasing an app for Instagram that they claim violates the Instagram tos. The app has nothing to do with Facebook. This was done with no warning.
It's naive to assume that a company will defend their subsidiary. I am not condoning how they treated you but your assertion of the app has nothing to do with Facebook is incredulous.
What are you talking about? Everyone has to depend on some infrastruture to provide their service. I'd imagine pretty much every hosting platform (from amazon to dreamhost) has less reliability than facebook.
Sure, but the more external components you tie in to the bigger the chance that one of them will be down. So you try to keep such dependencies to an absolute minimum otherwise you end up with the joint downtime of all those services.
External dependencies increase failure points, no argue there.
It depends on your line of business, but if you compare the benefits of making user signup faster, lowering acquisition barriers and getting access to the social graph of users against the risks of depending on one of the top infrastructures in the cloud, I think it may well be worth the trouble.
You're both right, if you talk about different sorts of risk. There's far more chance that you'll get authentication wrong than Facebook -- and that's a risk. It's probably more likely that your authentication service will go down than Facebook's. But if it's all yours then Facebook has no control over you, so that's one less risk.
As for which risk is the most important risk, well, that's up to your business to decide. But nothing is without risk, all you can do is choose which to expose yourself to.
(S)he's talking about if you rely on an API/Third Party service over hosting.
You can packup your application and move it to Amazon/Rackspace/DigitalOcean, but if you use Facebook login exclusively or use a third party API for a core service and they decide to change (as GP suggests), you're fucked.
Using it for logins is really questionable. But if you are, for example, building a game for Facebook, it gives you many advantages, so occasional downtime is not really the biggest issue. Let's check the things you wrote about in gaming context:
- charging for the service later TRUE (viral is dead, you pay for the ads to get new players in)
- cut you out of a relationship with your own customer - somewhat FALSE (you can request e-mails from your customers, and have a direct contact afterwards). Even with fan pages, they are not cuting you out, but merely asking to pay to get your message to them
- require you to use their store TRUE, but every other platform does the same
- copy your idea and give it for free. FALSE - Facebook never made a game AFAIK
- squezee you margins. TRUE. I do notice that Cost Per Install for my games is getting higher the more I advertize, and that it suddenly jumped from about $0.15 per install to $0.50 per install a few days ago - about the same time when they switched to the new payment user interface.
Sure, but by giving them your users log-ins you are telling them how popular you are so they can sit back and wait until you reach a certain threshold or velocity. Why give a would-be competitor extra information?
Programming use of logical operators and regular speech is not compatible. I agree that this is a bug in the English language but this is a forum, not a computer program.
I'm having a bit of trouble finding the maintainer. Possibly OED, but they don't have much in the way of API documentation and I still haven't found the revision history for the source to submit a patch.
In this case "and" means "in addition to". "when you make a mistake" describes one set of situations, "when facebook makes a mistake" describes another set, and the "and" acts as a union operator. Nothing illogical here, though you might argue that English is ambiguous.
Even if I don't know you I fell pretty confident that is more probable that you are messing up with the login than FB. So the changes of a downtime are lower. The business value it's another topic...
