Trust Without Passwords

Security need not deter users

A product entrepreneur (and Uber driver) recently pointed out to me why I like Philz Coffee: they serve you first and you volunteer to pay on your way out. No one would stop you from walking out without paying. Customers trust you and they want it to be reciprocal. Passwords are the friction point where the business is saying, “I think I remember you but just show me some ID.” We’ve all experienced it, from purchasing an alcoholic beverage to buying something spendy at a mall. The only reason I pay ClearMe $100 a year is not because it is faster at SFO Terminal 2, but because the concierge treats me with more respect than the TSA. They welcome me back. They know me. The machine announces “You are now clear” as soon as I walk up to it.

Passwords are the new paywalls. They keep users out. Your service simply is not important enough for anyone to remember your password rules, username convention, or which email address they used to sign up for it. If you think it’s not affecting your monthly active user count, I suggest you spend more time with your users. How many apps are on their mobile devices? How many email accounts do they have? How many jobs have they had in the last 3 years? How often are those passwords required to rotate? It’s hundreds of unique combinations of usernames and passwords. If a user resets a password logging into an app on a new iPhone, they have to change it on perhaps a tablet and at least 2 computers. Will they even remember that password when they open your app on an iPad, or just reset it again? I’ve been observing the latter.

Security is not exempt from innovation. Doing what we did 20 years ago is not better security. 12 character passwords are not better security. Software RSA tokens are not better security. Delight your customers by finding new ways to recognize them instead of regressing to old ways of guarding them.

I’ve frequented businesses for years where the owners only knew one piece of PII about me: my first name. I prefer online shopping at Amazon.com because they remember a lot about me without asking me for proof. I can use 99% of the site without authenticating. I can add items to my cart which transcend browsers and devices, reappearing later, all without an active session. This is not a new but understanding why it is satisfying is critical to replicating and evolving this experience.

I propose we never ask users to create another password again. Ever. For anything.

How simple can your app signup flow be? How about a single button that says “create account” and requires no user input. Read the phone number out of the contact list. Send down a session ID to the device valid for 30 days. When it expires, SMS the user a 6 digit code. Ask them a second question like “which of these artists do you listen to” or “which of these items do you own” as a second factor.

OpenID and delegated authentication through popular email and social media sites doesn’t address the problem. I have no less than eight (8) accounts on Quora because the site is quite good at bouncing out every user until they show an ID — I have 5 email and 3 social accounts. I wonder if they have a patent on this terrible user experience because they could sue nearly every website operator for infringement. We all had AOL identities in 1998. It’s not relevant nor convenient today because we don’t login to AOL any longer — social identity is an ephemeral identity. It’s not safe to assume any more than 50% of your serviceable addressable market has a Facebook account. If you don’t want those users,your competitor will pick them up.

We spend gut wrenching amounts of time building perfect pixel apps and A/B testing in app behaviors. But the front door to our site is about as friendly as the TSA checkpoint at the airport. Spend your next release putting a pineapple out front. Find new ways to welcome and delight your returning customers.