Overauthentification of the web
For a while now, there’s something that has been getting to me… And it’s probably been buggin’ you too. Actually, I’d even bet on it.
How many times a day are you prompted to enter a username and password? One is too many. But, if you’re a power-user, it’s probably more like ten. I’m a hyper-user of the web, so over the past week I’ve tracked my sign-ins.. The results blew me away: on average, I sign-in 14 times a day. One day, I measured 21 sign-ins!
That’s way, way too many. And it’s worth making a stink about. Here’s why…
Every interaction that people have results in a “user-experience”. The more interactions there are, the easier it is to observe, describe, and analyze the net effects of an experience.
For example, billions of people have eaten at some McDonalds restaurant around the world. Even though all of these restaurants are, in some sense, different — they are in different countries, have different layouts, different employees — there is still such a thing as an universal McDonalds user-experience. We, the McDonalds audience, pick up on all this we’re savvy enough to discern what elements of an experience are anomalies particular to our specific context (the mob surrounding the location that Justin Bieber just walked into), and what elements are universal, shared with countless others consuming the McDonald’s user-experience world-wide. This perceived sense of universality reflects directly on a (in this case, unsavory) brand.
In much the same way as it happens offline, every app, every page, every destination on the internet results in a user-experience. When the creators of these experiences invest time, talent, and resources in optimizing these experiences, users feel loved. The best destinations are the best because they have the best user-experiences.
So far, I’ve just been setting the stage… Nothing I’ve said should come across as particularly novel. But here it comes, now I want to make my point.
There’s such a thing as a meta user-experience. (#metaUX)
What is a meta user-experience? A meta user-experience describes what takes place in the spaces between destinations, or within a destination, but as a result of the broader contexts surrounding it — the neighbors, the ecosystem, the environment, etc.
Let’s point to some examples we’re all familiar with.
A lock on a door. While the lock has been designed as part of the user-experience of the door, it does not exist because it makes getting in and out more enjoyable, in fact, it makes it less enjoyable. It exists because of the context in which that door operates. It keeps people out. Who? Why? That depends on context.
A shop in a bad ‘hood. Aside from their own safety, why don’t more people shop in bad ‘hoods? Because the shops have metal bars over their windows and doors. Because windows are broken. Because graffiti and trash is everywhere. Even if you had an incredible destination, the context creates a horrible meta user-experience.
A student who loves college but hates school. A paradox like this — where the user dislikes the core service, but loves the overall experience — can only be explained by looking at the context. Greek life, sports, the social scene — these surrounding user-experiences, and their relationship to each other, can make the overall experience wonderful. So even if the student says “I hate school” every day and thinks that “school sucks” — the spaces and experiences surrounding school, and the relationships between them, create a meta UX that is enjoyable.
Which brings me back to the constant nuisance of logging in all the time.
Perhaps its an instance of the tragedy of the commons, because there usually isn’t anyone responsible for the meta UX. Nobody owns the spaces between… Nobody owns the broader context they help create… But it affects everybody and everything. And it results in reactive behavior and a poor meta UX.
For example the existence of malicious hackers is a very real burden on the entire internet, and the economy. The amount of cash that flows through the security world to create preventative measures, the digital equivalent of locks, is staggering. That money could flow elsewhere, and it makes the internet a less friendly, less easy place.
How do we fix this?
Well, first, let’s recognize that freedom is to blame. Freedom is what makes the internet an extraordinary place for creativity and expression. It is decentralized. Nobody owns it. That’s why it is so vast, that’s why it has proliferated so broadly. But, that’s also why there’s room for abuse.
In free and decentralized systems, meta user-experience tends to be a problem. So let’s think about how to resolve it. Here are my ideas…
I can think about two broad ways of approaching the problem, through platform-level enhancements on browsers and on operating systems.
On operating systems. This is, by far, the best solution, in my opinion. I think that Apple’s integration of Twitter into iOS is a big step in the right direction. OS Lion and iOS (the only operating systems that I care about at all) should have operating system level authentication and permission controls for every web-based service and local application, so that YOU control how often and when you are prompted to sign in.
On browsers. This is the next-best alternative. Imagine if Apple’s Safari and Google’s Chrome had a whole top-level dashboard dedicated to authentication. You could keep track of all your log-in information, across all of your profiles, in one place. And you can control how often you want to re-authorize them. If you only want to re-authorize ALL of your profiles once a month, then you do it on the browser. They could release an API, and apps could start calling the browser for authentication, instead of the user.
While Facebook, Twitter, Google, and OpenID are all competing to be the web’s single sign-in service of choice, but let me be clear, I do not think this solves the problem! In fact, it aggravates it — because if you juggle multiple accounts on these services, you need to first log out of them, and then log back in on the one you desire to use. AND because most services ultimately want you to integrate with your whole social graph, so you’ll end up signing in to the others anyways. Most importantly, it doesn’t solve the repetition problem — I hate using Facebook Connect every time I want to connect to an app. Oh and I hate being forced to either have a pop-up (from FB connect) or to have my browser auto-jump back and forth to Facebook, Google, or Twitter. It is annoying!
By far the biggest reason why this is not a solution is that it still requires a sign-in step. The ideal solution would get rid of this all together, and just monitor authentication by making calls to APIs on a higher — browser or operating system — level. Instead of the web app or OS app booting you, it would just prompt the browser or OS to take care of it. This makes far better sense.
That’s my idea for the day!