How We Stopped Worrying and Learned to Love Social Login
We’ve been getting a lot of questions about using social login to register bikes. We know that social networks can be a hot issue for a lot of people, and so we thought it would be useful to explain what social login is in greater detail, why we require it, and what you can do if you are concerned about your privacy.
Here’s the super quick summary:
- We strive to build the best service to protect your bike
- We believe that mega-sites who are deeply invested in elaborate password security systems can do that better than we can as a small team.
- We strive to build a high-integrity community of users. The anonymity you get through email type login on sites like Craigslist simply doesn’t engender the kind of community or trust we’re aiming for.
- Time is of the essence when your bike is stolen, and we believe it’s faster to sign in with a social network that you are likely already signed into than to have to remember an email address and password that you haven’t used in months or years.
- We respect your privacy and don’t collect or store your social network password, friends list, or other private social network data. (Here’s how to make sure your data is private.)
Want more details? Read on.
What is social login?
To start with, when we say social login, we simply mean that we use the username and password service of popular social networking sites (we currently support Facebook, Google+ and Twitter) to authorize access to your account on our site. Despite how that may sound, this does not mean that we get your social network password or your friends list.
Here’s how social login works:
When you click the login button on our site or in our app, we say “Hey Facebook, someone wants to log in. Can you tell us if they are who they say they are?” Facebook takes over before you enter your user name and password… that doesn’t happen on our website.
Once everything looks copasetic, Facebook let’s us know that your log in was successful and gives us access to your “basic” public data. Nothing private is shared with us, so nothing private from your social account is stored on our servers.
That’s the first thing we like about using social login. Not only does it mean less boring code to write, but it also means even under duress, we can’t accidentally spill the beans.
We want you to have the best protection on your password.
We could have gone and built our own user login service and invest a ton of time building software to try to make sure we stay one step away from the pirates. But frankly, we are a small team with a lot on our plates. There are only 10 of us here at Project 529 HQ. And building a secure system to receive and store passwords — basically rebuilding the wheel — instead of tackling the problems of how to have the best FREE bike registration and recovery service available was honestly a pretty easy choice. We knew that not everyone would sympathize with our choice, and certainly we aren’t happy to lose them as customers, but the cost to do so would mean delays in our other cycling related services that we didn’t want to sacrifice.
We really don’t want to be one of those Company Got Hacked headlines that seem to be in the news almost daily. By using Facebook, Google+ or Twitter to log in, you know you have HUGE companies with enormous teams (and budgets and reputations) protecting your password.
We don’t think that most bike thieves spend their time trying to hack into Facebook (they might trying to get into our site), and we don’t think that hackers that do get into Facebook are going to spend much time trying to use that information to get into a bike registration service to find information that you’d probably put on a missing bike poster anyway.
Just like with bike locks, there are no undefeatable solutions. But these networks have dedicated teams working on user security and are better equipped to deal with those issues than we are. So, we think it’s in the best interest of everyone if we simply don’t store your password. By using social login, we do not see or store your password, ever. So there’s zero chance of someone stealing it from us.
Here’s why else it’s good for you:
Social login helps us build a more credible cycling community
An account attached to a social network is more verifiable and credible than an account attached to an email address, which means we are building a more legitimate community of cyclists. The fact is, that there are ways for bike thieves to potentially game any registration system, and we want to make that as hard as possible.
Picture this: You are a bike thief. You’ve just stolen this sweet ride. You go to our website and register it as your own. You take photos of it with you, you add the serial number. You virtually create “proof” that the bike is yours, even though you are a really just a stinky thief. We hate you, but frankly we have no way of knowing that the bike isn’t really yours (unless of course the real owner of the bike was super smart and had already proactively registered it. Then our internal alarm bells go off. Gold star for that bike owner.)
Now, how many times can you do that before we start going, hmmm. That person sure has a lot of bikes. Something fishy is going on. Alarm bells start ringing. And because you are a smartypants bike thief, you get tricky. You decide to create new accounts for each bike you steal. It’s ridiculously easy to do that with a service that uses email-only login. You can do that in just a couple of seconds, and the service you are using would have no way of knowing if the email is brand-spanking new or if you’ve used it forever.
With the 529 Garage, you have to attach a social network. So, first you’d have to create the fake email account, and then you’d have to create a fake social network account and go through whatever confirmation process they require. It’s a lot more work to automate. And, when you use that network to log in, we get a little bit more information from that social network account than we can from an email address, like when the social network account was created. Accounts created within seconds of registering a bike with no friends or followers? In the case of a dispute, that can be used to establish credibility (or lack thereof). We think that’s a decent sized speed bump to put up in front of a thief.
Time is of the essence
Chances are, it may be a while since you logged in with our site once you’ve registered your bike. In the event your bike is stolen, you’ll want to press our app’s Alert button as quickly as possible. Will you remember a password you set over a year ago? Will you remember what email address you even used to sign up? Maybe, but you’ll be able to log in far more quickly with a service you use regularly than one you’ve logged into only once or twice.
If your bike is stolen, your social networks will be an important resource in spreading the word to keep an eye out for your bike. Part of our Alert system makes it really quick to post to your network (with your permission, always, of course). Logging in with the network just takes one more step out of the process. Time is of the essence when it comes to bike theft.
We believe in your privacy
So, you say, you get that, but you are still concerned about your privacy. Yep, we are too. You are right if you are wondering why we’d need access to your friends list. We don’t. We can share your bike just fine with your network without knowing who we are sharing with. And because of that, we don’t read your friends list. Even if your friends list is completely public and delivered to us on a silver platter. We make a point to only read information from your network that is relevant to our service.
Here’s the information that we get:
Your name, if it is available, from your network
Just because we think it’s more friendly to be able to address you by your name on our site and in any emails we send you.
A default email address, if it is available, from your network
This is the email address you’ll see after you log in for the first time that we ask you to confirm. We do need some way of getting in touch with you, in case our service changes, or to tell you other important stuff (like tips on your stolen bike), but you don’t have to use the one from your social network. You can change it to any valid email address. We just thought we’d save you some typing.
A default postal code, if it is available from your network
Having your “home base” in our system helps us customize the hot sheet and other location based notifications just for you. Some of the other bike registration services seem to be keen on sharing bikes stolen in Tokyo with cyclists in Dayton. We don’t think that’s a good use of your time or your inbox.
You’ll notice that all of these say “if it is available from your network” That’s because ultimately, it’s you who determine what our app can see about you.
We aren’t evil geniuses trying to game your privacy, but some sites may be, and the privacy settings of most of the networks can be really hard to find or confusing. To help you out, check out our tips on how to secure each of your social networks.
“But what if I don’t have a social network and don’t want one”
We’d love to introduce you to J, our founder, who is also not much of a fan of social networking and isn’t active. You’d dig him. Frankly, none of us are big in the social network circuits. We’d rather be out riding our bikes.
If you want to use the site, but really don’t want to do social network, we still recommend creating one of the free accounts we support and simply not using it as a social network. If you lock it down really tightly, don’t post to it and don’t follow anyone from it, you’ll have an invisible social network account with no information of import to anyone. If you already trust Google with your email by using a Gmail account, then enabling Google+ with locked down privacy settings wouldn’t be any more of a risk.
Are there other networks we should add that you’d prefer? Microsoft Live or LinkedIn for example? Let us know.
Well, that was a big wall of text, wasn’t it. We know we won’t win over everyone with our reasoning, but we hope it helps you understand why we’ve chosen to go with social as our login solution, and maybe helped make your social network data a little more secure in the process.
As always, we’d love to hear your feedback.