Blog

A sign-in nightmare.

Recently, I downloaded an app called “trōv”. Trōv is an app that lets you take an assessment of your possessions and insure them on demand. Initially, I discovered the app on a whim. I began to add some of the items in my home that I wanted insured. When I downloaded the app, I chose not to opt-in to push notifications. After a day or two of using the app, I forgot about it. Nearly 6 months later I decide to launch the app and check the appraisal value of my possessions.

The app opens and I am greeted with a pesky login screen. Apparently, the app automatically updated and signed out of my profile. Immediately, I must choose between trying to figure out if I signed up with my facebook account or my own email address. I first choose login with Facebook. I go through the paces and after signing in I realize that I never setup an account with Facebook. Growing frustrated, I deactivate the account that was just created and tried another email and psssword combination and tada! I’m back in the account. All of my items appeared.

What is the lesson here? The concept of a Username and password needs to die. Trōv was seconds away from losing a customer permanently. If I didn’t figure out what my user name and password was, I was going to delete the app for good. After all, it was a spontaneous download. To be fair, Trōv is just following a very popular design practice that has been ingrained in our minds for far too long.

Only the IT department enjoys passwords.

If you ask users to create a profile with a secure password, you might be slowly digging the grave to your app. A new app in the mind of the average consumer is hard to make a habit. Especially when the decision to download the app was spontaneous. Research shows that one and four apps are abandoned after its first use. That means if a user decides to use your app again any obstacle will kill the users interest once and for all.

Passwords are obsolete.

A password was originally meant to protect you and your information from unauthorized individuals from accessing it. Unfortunately, a password does not protect your account from being accessed by a hacker. On this false assumption, passwords have become extremely cumbersome and hard to remember. Everything from answering 3 security questions to enabling two-factor authentication, along with pairing symbols with numbers and letters have rendered passwords as useless. As creatives its time we re-think the user authentication experience. How can we secure user accounts, without requiring users to remember complicated passwords? How can we simplify the registration process while gathering the information we need to keep the account safe?

Some have tried to simplify authentication.

There have been efforts from companies to make this process easier. The team at Slack knew that this could be a potential issue and they came up with a nifty feature called a “Magic Link”. All you have to do is enter in your email address and within seconds you will receive a link in your email address that contains all of the verified information needed to login. Simply click the link and you’re in. And most importantly, it remembers the information the next time you sign on.

Slack's Magic Link

Most native apps on iOS are beginning to integrate with apple’s touch ID. Touch ID is a feature that works with any Apple device that contains a biometric scanner. Simply scan your finger print and the device will authenticate anything that you’re trying to access if your finger print matches the finger print on file. There are a few drawbacks with this feature. For example if you are setting up a new device, you have to add your finger print. But if you restore the device from a backup, the finger print is lost. There has got to be a way to securely store your finger print data along with your passwords within the iCloud. Another drawback is that even though you may authenticate yourself at the lock screen of your device, you still have to enter passwords for apps when the device is unlocked.

I ran across a Swedish tech company called Yubico. They’ve created a USB/NFC security ”key” that promises to securely sign you into any app. Yubico is basically a two-factor authentication generator that works with most password manager apps on your phone or pc.

Two-factor authentication simply put, requires the user to enter their username and password, and then enter a randomly generated code that is often accessed through a text message or a code generator.

yubico key 4

To use it, you are required to setup the Yubico key with the password manager on your phone or any desired website that supports single-sign-on such as dropbox, facebook, or google, etc. If you are using a mac or pc, all you have to do is insert the usb-key, and press the button and it will log you in. If you’re using an iPhone or Android phone, you must have the key with you at all times. To use it on your phone, place the key onto the back of your device (near the NFC sensor) and tada! you’re in.

While this service looks promising, the concept of two factor authentication in addition to your username and password that most people already forget, renders this solution as useless.

Security needs to be more intuitive.

Security should be easier to interact with. In an ideal world Apple’s macOS, iOS, Microsoft Windows, and Google’s Android OS need to improve their cloud based password managers. Biometric sensors on the device need to more closely interact with the system-level password manager.

Password Cloud Manager

  1. Whether you use apple, android or microsoft devices, the login authentication activity should be shared securely across devices through the cloud. All native and web apps need to be able to communicate with the cloud based, system level-password manager and store the secure login within the cloud.
  2. If a biometric sensor such as the finger print scanner is successfully used by an authorized user, All apps should automatically be authenticated once you unlock the device until the device is locked again.
  3. To manage this, you should have access in the settings area of the operating system. The user should be able to add usernames and passwords to their respective apple, microsoft, or google cloud account and all apps will login on your behalf as needed (even if the developer has not updated their app to integrate with a biometric scanner.)
  4. If the user is using a computer without a biometric sensor, the mobile phone whether Android OS or iOS should offer the option to login with the built-in biometric sensor on the mobile device.

Thankfully Apple, Google are moving things in this direction. But there is still a lot of progress to be made. According to this article on the Verge, Apple might be doing away with social-network system level logins, which means that what I just described above will be even more of a need for users. If you have an app or a website where your customer is required to sign in, take the extra time to integrate a “magic link” like slack or biometric scanners so that your customer doesn’t have to fumble around with lost passwords. Trust me, they’ll love you for it!