HACKER Q&A
📣 santah

Is “sign in with Facebook” dead for indie developers?


On my service - https://next-episode.net - along with signing in with username and password, there is an option to sign in with Google and Facebook.

3 days ago, I get this email from Facebook "Complete business verification for Next Episode" which notifies me that my Facebook app (which handles the Facebook login functionality) now needs to be connected to a verified business account.

This is where they announced this back in February: https://developers.facebook.com/blog/post/2023/02/01/developer-platform-requiring-business-verification-for-advanced-access/

Now, going through the steps of filling out my name, address, phone number etc, I checked the "How we use your information" link and in it, it said "In certain cases, we'll update your publicly available Page Transparency information with some of the details you confirm during verification".

In the Page Transparency information page: https://www.facebook.com/help/323314944866264/ it says the information about the owner may include "The Confirmed Page Owner's verified legal name and registered city, country and/or phone number". Later on, on the same page, they say you can remove (or request to remove) some of the information visible there, but they never specify which information you'll be able to remove.

Anyone with an experience with this? I don't want my address and/or phone number publicly visible, so what are my options here?

For now, I have removed the option to sign up with Facebook (existing users can still use it to sign in) and I plan to completely remove it (by the time the December 11th deadline comes around) notifying users about the change upfront and giving them the option to switch to Sign in with Google or with username and password.

  👤 mdrzn Accepted Answer ✓
I would remove the FB option, maybe add some other services (like Discord or Twitch or whatever) just to offer different options.
👤 edent
It depends on what level of access you want. My app just uses basic verification - I get to see the user's name, Facebook ID number, and photo. That's it.

I don't have to provide any of my personal data as a developer to Facebook. I do have to provide a privacy policy. I haven't received a similar email to you.

As that blog post says, Business Verification is required for "Advanced Access".

So, if you can, change the level of access that you need. If all you're using Facebook for is an identity provider see if you can drop the number of permissions you're requesting.

If that fails. Get a cheap disposable SIM and use that as your phone number for Facebook verification.

👤 andrewfromx
Yeah and to sign in with apple on your website, you MUST have an ios app in the app store. i.e. pay $99 a year.
👤 NoZebra120vClip
I don't know what country you are in, but if you are concerned about a phone number and postal address, there are myriad ways to obtain both of those which can effectively obscure your location and identity.

  * Get a Google Voice or other VoIP provider.

  * Get a burner cell phone.

  * Get a business account with your PSTN provider and run an Asterisk PBX or something.

  * Obtain a PO Box at your US Postal Service, UPS Store, or an independent provider of boxes.

  * Identify a coworking space where you can receive postal mail, and use its address.
Since you are a business, (you are a business, or just an "indie developer"?) then you should be able to establish business-class accounts in this manner and satisfy Facebook's requirements. They do not seem overly onerous.
👤 bcx5k15
> Anyone with an experience with this? I don't want my address and/or phone number publicly visible, so what are my options here?

Depending where you are, you may already be required to share this information, for example any business here in the UK must have their company registration number , registered office address, and contact (email and post) details, on any website.

👤 toomuchtodo
Could you switch to just using passkeys instead of Google, Apple, or Facebook federated identity? This eliminates the risk of storing passwords, and also doesn't create a dependency on one of the companies mentioned. You'll still need to store username, email, or both, depending on your use case. You can also create a code path that will transition accounts from federated identity to self hosted with passkeys as well.

https://passkeys.dev/docs/tools-libraries/libraries/

https://passkeys.directory/

https://www.corbado.com/blog/user-transition-passkeys-expert...

👤 seydor
Same here.

For transparency reasons I will also be listing Mark Zuckerberg's phone, postal and residence address on our contact page (100% of the support requests we get are about facebook problems anyway)

👤 lifechoseme123
This may be what you're looking for.

Something like OAuth2 or OICD "Permission Scopes" -- the permissions that a user can grant your app, just prior to their accepting the log in via that particular social-media authentication provider.

https://developers.facebook.com/docs/permissions/reference/

Here are examples:

https://www.loginradius.com/blog/engineering/facebook-authen...

👤 gmerc
Every year september / october FTC compliance push happens - and your product will get randomly flagged and disabled by AI.

This year, there’s gonna be even fewer humans to correct the madness. Not having FB login is a mercy, not a mistake.