Step 3: Planning Authentication and User Management for the Facebook Login Button
In rare cases, you can get away with using the Facebook login button as your only user registration and authentication option. There are a number of pros and cons to doing that. The pros are that you have less code to write and manage, and many of the security considerations are handed over to Facebook.
The cons are that if the only login option you give your users is via their Facebook accounts, users who do not have a Facebook account will not be able to log into your site. Even if they do have a Facebook account, they may not want to associate their account with your site -- especially if they only recently discovered your site and may not trust it.
Most sites that offer to log in with Facebook tend to have a duel registration process: Facebook and a native registration/authentication process that is done through some authentication library. You will have to plan for your site to allow either multiple accounts for one person or a way to sync up the different registration paths into a single account.
Step 4: Managing User Uniqueness and Security with Email
Since email addresses are all unique, many sites use the user's email address as the unique identifier for logging in. However, there are a few security concerns with using the email as the unique identifier when enabling Facebook login on your site:
- The first time a site visitor logs in with their Facebook account, you should check whether this user's email already exists in your database. If it exists, simply log them in. If you are pulling extra information like the address (which can change often), you can verify whether the address has changed.
- If you do not have the user's email in your database, that does not mean that the user isn't already in your database. Just like a single person can have many accounts on a site using different aliases or email addresses, the user account created from the data pulled from Facebook will be a completely new user if the email address isn't the same. That might really confuse the user who wonders what happened to all their data from the account they might have created.
One good solution to help your new users understand how the Facebook login button is meant to work is to include an explanation of what just happened in the welcome email. Since many people do not read welcome emails, you should also add notes and alerts throughout your site, explaining the same thing to the user. The combination of email and various help messages on the site will help them understand how the Facebook login button works on your system. Chess.com has a very nice example of how to do this well. On their Facebook registration page they go over all the possible options so that the user chooses each step on their own, and what is happening is very clear.
- It is also important to be aware of the duration of session expiration on your site and Facebook. If you use sessions to manage user logins, one of the sessions (Facebook's or your site's) may expire before the other.
Step 5: Building Trust with Your Users
It is important to point out that the Facebook login button can be quite confusing for end users. The button says "log in," but the first time the user logs in they actually have an account created so that the next time they log in their actions can be associated with previous actions. This works to help the users, but many people can find this usability a bit suspicious if they use the button to just log in and suddenly get an email telling them they made an account.
Use helpful messaging throughout the site so that your users are well-informed about what to expect when using the Facebook login button.
Ste 6: Dealing with Passwords
You can never get the user's password into Facebook so you do not have to worry about encrypting their password and storing it in your database.