Ask HN: Is “sign in with Facebook” dead for indie developers?
On my service - https://next-episode.net - along with signing in with username and password, there is an option to sign in with Google and Facebook.
3 days ago, I get this email from Facebook "Complete business verification for Next Episode" which notifies me that my Facebook app (which handles the Facebook login functionality) now needs to be connected to a verified business account.
This is where they announced this back in February: https://developers.facebook.com/blog/post/2023/02/01/develop...
Now, going through the steps of filling out my name, address, phone number etc, I checked the "How we use your information" link and in it, it said "In certain cases, we'll update your publicly available Page Transparency information with some of the details you confirm during verification".
In the Page Transparency information page: https://www.facebook.com/help/323314944866264/ it says the information about the owner may include "The Confirmed Page Owner's verified legal name and registered city, country and/or phone number". Later on, on the same page, they say you can remove (or request to remove) some of the information visible there, but they never specify which information you'll be able to remove.
Anyone with an experience with this? I don't want my address and/or phone number publicly visible, so what are my options here?
For now, I have removed the option to sign up with Facebook (existing users can still use it to sign in) and I plan to completely remove it (by the time the December 11th deadline comes around) notifying users about the change upfront and giving them the option to switch to Sign in with Google or with username and password. Could you switch to just using passkeys instead of Google, Apple, or Facebook federated identity? This eliminates the risk of storing passwords, and also doesn't create a dependency on one of the companies mentioned. You'll still need to store username, email, or both, depending on your use case. You can also create a code path that will transition accounts from federated identity to self hosted with passkeys as well. https://passkeys.dev/docs/tools-libraries/libraries/ https://www.corbado.com/blog/user-transition-passkeys-expert... Same here. For transparency reasons I will also be listing Mark Zuckerberg's phone, postal and residence address on our contact page (100% of the support requests we get are about facebook problems anyway) It depends on what level of access you want. My app just uses basic verification - I get to see the user's name, Facebook ID number, and photo. That's it. I don't have to provide any of my personal data as a developer to Facebook. I do have to provide a privacy policy. I haven't received a similar email to you. As that blog post says, Business Verification is required for "Advanced Access". So, if you can, change the level of access that you need. If all you're using Facebook for is an identity provider see if you can drop the number of permissions you're requesting. If that fails. Get a cheap disposable SIM and use that as your phone number for Facebook verification. Yeah for now, I use "Advanced Access" to get the user's email address and pre-fill it so they only need to create a username. Also these email addresses are automatically set verified (no need to go through the email verification process). I guess I can make it work without the "Advanced Access", but it'll be a lot more cumbersome and I wonder if it's worth it. Every year september / october FTC compliance push happens - and your product will get randomly flagged and disabled by AI. This year, there’s gonna be even fewer humans to correct the madness. Not having FB login is a mercy, not a mistake. I don't know what country you are in, but if you are concerned about a phone number and postal address, there are myriad ways to obtain both of those which can effectively obscure your location and identity. Not in the US, but yeah, I may be able to get a phone and an address through some 3rd party service(s), but I'm not sure it's worth the overhead, especially if it's just to pass the verification (and potentially users would not be able to really get in touch through them). trying to use google voice SMS to verify 6 digit codes is like 50/50 shot. Some sites allow VoIP some don't. Without getting a full burner cell phone, is there a service that lets me get a REAL SMS number? I don't understand your criteria. SMS is a cellular service. Do you want a mobile phone or not? Also, you are not the OP. Does "Sign in with Facebook" require verifying TOTP codes? Never ever use SMS for TOTP. Register a real authenticator or Yubikey instead. This may be what you're looking for. Something like OAuth2 or OICD "Permission Scopes" -- the permissions that a user can grant your app, just prior to their accepting the log in via that particular social-media authentication provider. https://developers.facebook.com/docs/permissions/reference/ Here are examples: https://www.loginradius.com/blog/engineering/facebook-authen... > Anyone with an experience with this? I don't want my address and/or phone number publicly visible, so what are my options here? Depending where you are, you may already be required to share this information, for example any business here in the UK must have their company registration number , registered office address, and contact (email and post) details, on any website. I would remove the FB option, maybe add some other services (like Discord or Twitch or whatever) just to offer different options. Yeah and to sign in with apple on your website, you MUST have an ios app in the app store. i.e. pay $99 a year. You may need a paid developer account but I don't believe you need an app. I'm pretty sure I played around with it in the past and managed to get a working implementation without having any published apps.
Since you are a business, (you are a business, or just an "indie developer"?) then you should be able to establish business-class accounts in this manner and satisfy Facebook's requirements. They do not seem overly onerous. * Get a Google Voice or other VoIP provider.
* Get a burner cell phone.
* Get a business account with your PSTN provider and run an Asterisk PBX or something.
* Obtain a PO Box at your US Postal Service, UPS Store, or an independent provider of boxes.
* Identify a coworking space where you can receive postal mail, and use its address.