undefined | Better HN

0 pointsRexRollman14y ago0 comments

Mainly, because there is no technical reason for Spotify to do this. I suspect the real reason for situation is some kind of backroom deal that will only serve to fuck over users.

0 comments

bonzoesc14y ago

The technical reason is this way they can outsource all the difficult and annoying account management stuff. No resetting passwords, no CAPTCHAs, they can let Facebook handle that. If somebody steals their database, all they get are OAuth keys that can be revoked, either by the user they're scoped to or by Spotify en masse[1].

1: If there's a Facebook engineer on the App stuff reading this, will this dialog invalidate all OAuth keys?

Reset Secret Key? Are you sure you want to reset the secret key for Pico Oauth2 Test?

If you proceed, access to the API with your old secret will be denied. This operation cannot be undone.

zzleeper14y ago

Do you REALLY believe that? Spotify is not a little tiny startup starting from zero. They already have a pwd mgmt system, captchas and so on. Given that they are not that small either, alienating just 0.5% of their user base may be enough to offset any "outsourcing gains"

stickfigure14y ago

I can't speak for the guy above, but I certainly recognize some valid technical reasons. If Spotify wanted to offer a Pandora-like limitation whereby each free account only gets X hours of music, they have a strong reason to inhibit users from creating multiple accounts. Perhaps it's just too easy with local logins; yes, people can create multiple Facebook accounts, but maybe this adds enough friction to the process to reduce the violation rate to acceptable levels.

The "14-days abroad" limitation for free users might be the issue. Perhaps people were just creating 2nd and 3rd and 4th etc accounts.

Aside from this, there are still valid technical reasons to abandon local login. Just because you have a capcha, forgotpw, etc system written doesn't mean there aren't benefits from getting rid of it - including the portion of the support staff responsible for "I can't log in" problems. And if they used multiple OpenID providers? Expect to hire more.

I'm not saying that this is the reason Spotify is doing what they did - I don't work for them. But it's certainly plausible that going FB-only is being done for technical reasons, and I expect they have a pretty good idea of what they're gaining and losing by making this decision.

j / k navigate · click thread line to collapse