The Ageing User Authentication Paradigm

Aarron Walter over at MailChimp has a good assessment of the Twitter, Facebook et al., login buttons that have become common all over the web. He makes a convincing argument that these social login buttons do more harm than good. But if we take a step back, there is a more interesting story to explore in there.

From April 12 to May 12, 2012, we had 340,591 failed login attempts. That’s the total number of times someone tried to get into MailChimp to get their work done and couldn’t remember their username and/or password, or simply mistyped. Think of how much wasted time and frustration that translates to.

The reason MailChimp turned towards third party OAuth solutions in the first place was to reduce the high number of login failures. While they’ve had some success in reducing this failure rate (attributed to better copy and improved error handling), the number of failures remain high enough to be a cause for concern. And MailChimp is hardly alone in this regard.

The traditional username + password based authentication paradigm has served us well over the years. It is almost second nature to any seasoned web user today. In fact, it is so widespread that you need not be an expert to realise the terrible experience or flimsy security it provides.

Of the people who struggled logging in, 68,145 had to resort to resetting their password, and 38,137 had to get a reminder about their username.

The need to come up with memorable credentials, to make passwords cryptic, keep them confidential at all times, not see what you’re typing, to remember the correct combination of the different services, usernames and passwords (and at times password recovery answers) you’ve created, easily stolen identities, increasing susceptibility to brute force attacks, and above all the general inconvenience of getting to your data.

None of this is a revelation. Designers and engineers have long been aware of this less-than-stellar situation and various efforts to address the same have been made over the years. Incremental usability improvements like not asking people to re-type passwords during sign-up, letting people see what they type, using email addresses for usernames etc. have definitely helped. As have efforts to fundamentally replace the username + password auth system, such as OpenId, OAuth and the likes.

Unfortunately, none of the replacements have been as successful as the system they were trying to replace. Yet the need for a replacement is more dire than ever. More people are using the web and putting their information online than ever before and our existing authentication process is intrusive, inconvenient, and not entirely secure. There are encouraging developments like Mozilla’s Persona (née BrowserID) and the push for ‘no passwords’, but it is early days still and the ground is very much open for a sweeping change.