Quora: How third-party auth can go horribly wrong

A while back, I requested an invitation to Quora, a newfangled question-and-answer service. Yesterday, I got my invitation email, and clicked on the link.

I vaguely knew that Quora was doing vaguely social things, so I wasn’t surprised to see the account creation flow lead up with a Facebook Connect prompt (with Twitter as an option). Here’s that page:

Quora_1

I clicked on the more link, and read some nice words about what Quora will and won’t do with their new powers over my accounts. I’m not sure a teeny-tiny more link really cuts it, but it’s something.

So, let’s connect with Facebook! So far, so normal, I’ve you’ve seen one of these before.

Quora_3
Next, I finish up the Quora side of account creation. Quora displays a Facebook-derived picture of me (plus my full name). The latter is clearly editable, the former — unclear? Anyway, this screen confirms what I suspected but wasn’t really clear on, which is that Quora has it’s own account for me which is linked to my Facebook account, rather than solely using my Facebook account. This could confuse folks: that Facebook logo in my picture is awfully close to the “New password” field, possibly leading to a misimpression that I’m changing my Facebook password. Let’s forge on.

Quora_5

I have no idea what this means, and the alert dialog is disconcerting. I sense trouble, but click OK and try again.

Quora_6

Oh my. Twitter too? Of course, since OAuth 1.0 works differently from Facebook Connect, I’m seeing a Twitter page rather than a wee pop-up dialog. But that’s “normal” these days. Why is this coming up, though, as I selected account creation with Facebook Connect? I did play with the toggle a bit, so it could be a bug, but it’s also possible Quora just wants both connections and is being heavy-handed about it.

What the heck. Let’s OK it, and forge on.

Quora_7

This stays up for a while. That’s probably not good. Eventually I click the “click here” link, with a distinct doom-ey feeling.

Quora_8

Yep, blank page showing code. Always good. Hey, I wonder if something is going on in another tab?

Quora_9

Well, that’s a little better. It’s an actual web page, with the logo of the site I dimly remember trying to create an account with. (Normal people would have given up long ago, of course. Designers, we take screencaps of the carnage. It’s an unsavory habit, like ambulance chasing.)

At this point I start doing the usual flail-ey reloading of this and that tab and etc. I get one of these:

Quora_10And, after more clicky flailing, I eventually I get a proper page which seems to indicate that I have created an account. Hooray!

Quora_11

Now, why is this interesting? It’s not that a startup might have some goofy bugs. That’s normal, and presumably Quora will fix them. (It’s also entirely possible that my setup was doing me some damage, as it’s often in the weird states that come with doing web work.)

Two things are interesting. First, that was twelve or so screens from invitation to a page I could do stuff on. Even removing about half of them as optional or caused by bugs or whatever, that’s a hugely long account creation flow. And so drop-off must be huge, why, I bet if Quora measured it …

Ah. But they can’t! At least, not completely or easily. And that’s the second thing. Because the flow is not entirely under their control. In fact, I just spent a good amount of time on other sites domains, with their branding and UI. Also, complexity. There were so many access tokens whizzing back and forth in the ether during this process it was like a snowball fight.

It’s hard enough designing and developing an account creation flow that you have complete control over. But when you hand over critical bits of it to third parties, you lose control, and you increase complexity. When you increase complexity and reduce control, you make it more likely something will go horribly wrong and simultaneously harder to diagnose and fix the thing that went horribly wrong.

There are lots and lots and lots of benefits to linking third parties to your application. But there’s a cost as well.

(Also, in case it’s not clear, this post isn’t meant to beat up on the fine folks over at Quora. I’m trying to make a general point, and they just had a blip at an opportune time.)

4 thoughts on “Quora: How third-party auth can go horribly wrong

  1. All very good points. But on the other hand, I suspect the harvest they reap from all those social connections makes the drop-off rate worth it. They’re ensuring people have friends on the network the moment they begin. Must implement on http://yoomoot.com

  2. Hi James,
    I’m sorry you had a bad experience. You happened to sign up right in the middle of a period where we had some pretty bad site issues, and not much was working on general during that hour.
    Things are back to normal now, and we hope to keep them that way. We also think that there’s room for improvement in our signup and setup process even when nothing is broken, so we’ll keep working on that.
    You’re right that there are some tradeoffs when integrating with third party sites, but we’ve found that the connections to people and things, etc. that services like Twitter and Facebook provide can help make a better experience for new users.
    C

  3. Hi Charlie! Thanks for the note — I wasn’t that frustrated, and I completely understand that these things happen. I’m just very interested in the pros and cons (and failure modes) of third party integrations, and your site happened to have an interesting hiccup at just the right (or wrong) time.

Leave a Reply