What We Think About Passwords
We rethought the classic authentication pattern.
About a year ago, I wrote an article for Smashing Magazine called The Current State of Authentication: We Have a Password Problem.
In it, I talk about the flaws with the username/password authentication model, and I present some viable alternatives.
Really Simple Store’s dashboard is the culmination of everything I think about the current state of authentication. It’s my ideal authentication model for a SaaS dashboard.
There were a few things I knew going in.
- I wanted some form of one-click sign in (for people who will never remember a password)
- I also wanted a way to sign in without opening email (for people who remember passwords)
- I needed to deemphasize the password, without deemphasizing security
We need an instant, one-click sign in because no one can remember all of their passwords. Some people choose not to. This is for them. This also covers people who sign in less often or whose priorities lie elsewhere and have no need to memorize their store’s password.
The thing is, password-less services that only do one-click sign ins become tedious if you sign in and out a lot. People whose main activities are managing their site and store would find it irritating to switch applications every. single. sign in.
We send a one-click link as soon you get a password wrong. We use the email from the sign in attempt, and when signing in fails, any frustration is met with a concrete solution:
“Your password is wrong, but no big deal, a one-click sign in link is waiting in your email.”
We take advantage where passwords are useful, but ultimately, we deemphasize their importance. First off, we use the term “passphrase.” You can read about passphrases in the article I linked to above, but in short, it’s a more modern version of a password.
We also don’t use password confirmation fields, and we never have password rules (we encourage multi-word phrases, but that’s just a recommendation).
Once someone is one-click signed in, we further deemphasize the password by skipping a password reset prompt. Normally, after clicking a “forget password” link, people are accustomed to a password reset prompt. We think if someone cares, they’ll reset it through their account settings. If not, they can just use a one-click link to sign in again next time.
I’d love to know what anyone thinks about this setup. If you want to try it yourself, spin up a store!