Login systems are broken — the State of the password
Design experience essentially in consumer and enterprise applications often begin with the quintessential login screen.
This initial experience has received little attention from design other than, making it more aesthetic, usable (large fonts — contrast) and or providing additional information to get you in, in case you forgot your password.
Designers and Product professionals have given little thought to it, on how this can be advanced to be more user friendly and matches human capabilities, and preferences.
It makes business sense to understand the user, before you design an application. If we did, we would reduce opportunities, of hacking — who are notoriously better at this, than tech wizards. Users would spend lesser time, clicking on forgot passwords and remembering secret questions to unlock their account.
It has also missed the larger context on how the human memory has to really deal with multiple passwords, in multiple applications and tools, how the password the user is setting i, can be common to other applications — no matter how important you think this is, how motor memory can be a liability at times. Let me explain.
How users behave
I remember the early days, where hacking was so super common, when users put passwords like ‘secret’ or ‘password’ for their applications. Hackers, had to just use a dictionary with common words to hack.
Users would also use single password for all applications, they used. Potentially a hacked password, could lead to entry into every other applications.
Users visiting a random site, when asked for an email and password for the random site, would actually provide their email passwords, and get hacked.
Muscle (Motor) Memory
Repeated shortcuts to tasks on computers are often quickly absorbed by the muscle memory. Hence the sense of delight when we observe graphic and 3d artists rummaging through difficult design tasks with ease. It almost seems like wizardry. Our muscle memories have also trained to use the very same capabilities for login into our desktop computers and other such logins.
What’s weird is our password changes every 90 days, and we have these few days, when we enter the wrong password first time. Just as a pun, it is akin to using mac and windows to doing tasks in the same time.
As fast as technology standards and less user advocacy
Technology woke up — large enterprises, banks, and consumer applications came up with stringent password strategies, you needed alpha numeric passwords, these could not include your name, not include continuous numbers, you could not repeat you last 3 passwords, I have even seen an financial application that would not let you repeat your last 12 passwords.
There was single sign-on — the most friendly one of all application tools, using variety of technical methods, you could use your email or enterprise login to get into variety of applications that needed a separate login.
In many countries multi-factor authentication became the norm for banking transactions, and with it applications caught-up and had consumer and enterprise applications also catching up.
With advent of bio-metric and face recognition system, everything from fingerprints, to retinal scans to face recognition has been used to login into applications.
Some really amazing though has been applied to device based password setting — which is an extension of single sign-on, where devices set the strong password, once your sign-in, you are able to login into everything almost automatically. This is smart — but somewhere you are out of control if you lost the device, or use multiple devices.
The heightened security that i used in a device, would delete everything on your personal phone, on 3 wrong attempts. I have lost all my family pictures three time, before i decided i dint need such a secure life.
The technology industry is fast catching up, and beyond doubt its getting safer, but is this helpful to the user? While tech learns from hacking exploits and vulnerabilities, there are no user advocates, as part of the process.
The state of the password
The password today is really strong, the system wont let you setup -secret as your password anymore. But there are many of us, a typical person like me, could log into upto 10 applications everyday, and probably 50 applications a week. Using more than 100 application frequently, which are formal, semi formal, consumer and social.
Users now use passwords with a twist, very slightly changing passwords to log-ing into multiple applications.
Users forget, and reset passwords more often, and in some far fetched applications not in common use, maybe every time, forgot password is used to login.
What tech has forgotten, is the larger context in which passwords have set, I have facebook, whatsapp, multiple banking applications, enterprise applications, devices and others. Isn’t this a big load.
Are users getting harassed?
How capable are we?
We typically remember only four phone numbers, we heavily rely on motor memory for daily passwords, logging into the desktop and devices.
Research explains, that short term memory is not reliable, repetition helps build stronger memories, stress has a big role to pay in our memories.
Need for research and design thought
While applications get secured, doesn’t it make sense to realize that user memory and decision making capabilities need to be also considered.
Should designers, not consider the login flow as much as they visually design the application to make them aesthetic and usable with large fonts and contrasted colors.
What could be part of this process,
- Understanding persona, of the user who forgets, bad password strategy, looses devices and just has too little patience — attention span.
- Understanding context — Diverse application usage, multiple devices.
- Understanding security concerns — Applications that are secure vs. the ones that are not.
- Leveraging available tools and technologies, that ambivalent.
