Passwords and online authentication

I don’t really Tweet or write blog posts, but after following tweet by a Finnish politician (in Finnish sorry), I had to register to both Twitter and Medium to write a correspondence.

So Mikael is worried that a Finnish department store’s website is asking passwords, and in later tweets he compares it to Apple Store usability. I haven’t tried Stockmann’s website even, but I assume that it will ask for your username/email and password, each time you use it. It might or might not remember the credentials for longer time. Also I expect that Stockmann has developed with user authentication on their own and are not using any 3rd party services. This is very typical way of doing this.

Operating system and Ecosystem players

One should not compare user experience (UX) offered by companies such as Apple, Google or Microsoft (or Nokia in the past, sniff)! They own our mobile devices and computers, and pretty much get to decide what apps are installed and how credentials are stored/accessed.

i.e. With iPhone when you start using the phone for the first time, you will create Apple Account, and connect to iCloud using it. After that all Apple made applications will use those credentials, and they are guarded by phone’s PIN-codes and maybe fingerprint locking. Apple does not allow 3rd parties to use it’s authentication.

Androids behave the same, but Google does allow other parties to use Google authentication.

Pros of using 3rd party authentication

If user is already a user of particular service (Google, FB, Twitter), and logged in with current device, it is just simple 1–2 clicks and user is signed in. One can trust that email user provided has been verified previously, so it is more convenient to the user.

Cons of using 3rd party authentication

You are no longer fully in charge what happens in your user experience as you need to include their Javascript library into your website, for the initial login user gets thrown to another website.

In addition those libraries will gather information about your website/app users to their endless data warehouses. They tend to do this even after the authentication has been done. Then this data will be used when they target ads to their (your) users on another websites. This I think is the biggest reason why not to user 3rd party authentication (for both users and companies).

What can be done to have as good UX as possible

Save credentials for long time

From user’s point-of-view this seems to only depend on how easy/fast it is to login, and how often it needs to be done. It is fairly easy from development point of view just to remember the authentication token. After you have signed in once, then your are signed in always after that. The user should be happy.

Problems begin if the device is used by children or friends, and they can do something potentially harmful with it. To fix this, the harmful actions (in case of web shop new orders and order canceling) would then need to be confirmed by mobile-phone action or entering credit-card’s CVV code for example.

Email login

No need for passwords if the user each time needs to login using a magic-link in an email. Due to old non-secure email-protocols, this isn’t always safe (depending on user’s email clients). Also in mobile use, it’s often difficult for users to access the correct email, so this might cause churning.

Notify new logins

As additional security measurement it is always good to notify the user when logins from new devices and/or locations occur (like many services now do).

Better safe than sorry

For really strong authentication needs (banking, voting, etc), the current (web + mobile) 2-way authentication each time is required.

In future there might be some chips embedded under our skin + some dedicated readers for them to do this action quickly.

Similar things can be already achieved with user-certificates, but if user’s computer is hacked, then it would be very unsafe. So combination of 2 devices + some secret is optimal.

Show your support

Clapping shows how much you appreciated Simo Tuokko’s story.