Should we embrace magic links and leave passwords alone?
I am a Junior Interaction Designer and during my internship in 2018, I focused on login possibilities. I ran into something new for me: passwordless logins. I thought that this could be a new future for online accounts. I presented the outcomes at the company Hike One and now I am sharing the outcomes with you.
These days we use accounts for almost anything. We got an account to buy clothes, get some discount on shoes, food delivery, and even for awesome free online games. We are flooded with it. Especially by the fact that every account asks for a password that needs to be remembered by our minds.
Passwords ensure us to keep our information safe, but are our passwords that good? Myself, I have a password that I reuse on useless websites. I don’t, but I want to make a point here. These websites don’t have any relevant information, but still. The safety of these accounts will drastically decrease every time I make another account with the same password.
Passwords come and go in different varieties. We got SMS-codes, numerics, and social logins. Besides those, we got several new ones. We got biometric security like fingerprint checks, facial recognition, and even voice recognition. Then there is this new thing, passwordless logins. Just a magic link in your email that directs you to log in.
Username and password
Having a username and password to securing an account is perfect. At least, if this password is unique and complex enough. However, nowadays that isn’t the case anymore. We are lazy animals, all those different applications, gadgets, and services. These things, that bring the food to your door or putting the heat on, ask for new accounts to give you access to the possibilities. How are we managing all these passwords for these accounts?
On average, per human, we have registered 100 accounts to one single email account. You can ask yourself “how we are remembering all those passwords?” You will be surprised. We write them down, try to remember them by the mind, save them in our browsers, or save them in a text file, and the final option is in a secure password manager.
All this results in the fact that we don’t have 100 unique and complex passwords, which should be the case. We are reusing them over and over again. According to Keeper’s numbers, 87% of people between 18 and 31 reuse their passwords. They are hard to remember and papers get lost. Besides that, one good strong password is okay, right? Well, no.
If one account is hacked, then they have free passage through all the accounts with the same password. Even the ones with an extra ‘1’ at the end, or a capital letter at the beginning. Reusing passwords makes sense, you don’t want to do trial and error every time you make a password. All those restrictions are making you crazy. Did you manage to make a hard password that fits the restrictions, then the possibility is high that you will forget it in no time. When this happens it starts all over, asking for a new password and trying to meet all those conditions again.
But who is reusing their passwords more: younger or older people? From the results of ConversionalXL, between the age of 18 and 24, 76% of them reuses a password. Younger people are more often on the internet, games, social media, news, and so on. On the other side, we also have the age of 50 till 64, where 56% is reusing their passwords. Significantly, it is less than the younger ones, but still more than half, what is insane. Reusing passwords isn’t age-related, everyone is doing it.
In brief, the combination of a username and password is a perfect method. However, this is only the case when the password is unique and complex, what most often isn’t the case. I think that this method isn’t perfect anymore in 2018. It causes too much forgetness and that results in reusing passwords. What on its turn results in a decrease in safety. We become lazy, we don’t want to put too much effort into a new strong password. We don’t want to lose time to follow the story over and over again to get a new password.
Your email with a magic link
Logging in through a link in your email is already happening. If we look at Slack, Medium, and even Google, we see that they are trying it. No more self-created passwords, no more passwords. Magic links are made and send to you, so you can log in or register using only your email address. A magic link is a link that is created on a secure server of the website that you are visiting. This link is unique, only once to use, and just for a limited time. It is in this way so secure, that it can replace a password.
Am I, who I am?
Of course, you are wondering if it is safe. How do they know that it is me that wants to log in or register? Can’t just anyone login or register with my email account? Well, no. At least not without access to your email account. I got two examples of how these websites are handling passwordless accounts.
Google uses multiple-factor authentication. If I want to login on my laptop, I enter my email address or phone number. I will see a number on my screen and the assignment to unlock my Google Pixel and answer the prompt.
I have set up — on the first day that I had this device — my Google Pixel as a trusted device, which means that it is really mine and only I have access to it. After trying to log in I need to unlock my mobile phone, what the first authentication is, using my numeric password, fingerprint or voice. After that, I need to confirm the number that is shown on the desktop. On my phone, where are three numbers visible, I have to pick the right one. This is the second authentication. They are asking if I am on the location where I want to login. I need both screens to know which number to tap and verify that it is me that is trying to login.
Medium is pretty much a precursor when it comes to login and register. They give multiple ways to register or login. You can use existing accounts to verify yourself or you can use your email address. Alright, so, this ain’t that new right? Well, try to register or login with your email address. Here is the magic stuff. They ask only your email address. You get a magic link, and voilà, you are logged in or registered. Pretty awesome right? Just one click, type in your email address, then another click through your email, and done! No more difficult passwords and riddles. Just look at the screens that I have been through.
We got this magic link in the fourth image, we can hack him. That is what you are thinking right, or not? Well, if you did, I have to disappoint you. This link is only valid for 15 minutes and can be used only once, and I have used this one. This link is every time different and is generated on a secure server. It is safe and I can’t think of a scenario that is harmful to this case without a password and isn’t for one with a password. If you can think of one, please share, so we can discuss it.
Embrace the passwordlessness
It all sounds a bit scary, but in some situations, you need to get through the scary part to find the awesome part. Passwordless accounts do have their advantages. Are you familiar with that moment when you want to view a product or article, but you need to log in with an account? You don’t have one, so you quickly make one. Here comes the restriction part, they come this time with eight strong. After multiple times using Trial and Error comes the breaking point. The temptation is now so high that you admit to reusing a password that you are already using. The only difference, this password gets a number at the end or a capital letter in the beginning. This is a common way of how people are creating accounts and their passwords.
That is the point where the whole system of passwords falls apart. Here is the magic link — in my opinion — the answer. It is a perfect way to register and log in. The link needs to be safe, that is the condition. Usable for just a few minutes and only once. Let me be ahead of you because you want to say “yeah, but you need to click a link what an extra step is”. It is a click, but you already need to do this when you register when you need to verify your email address. For the login flow, it is indeed an extra step, if you ignore to click the password field or login button.
In the login flow, it is maybe hard to understand, but the speed of today’s servers and future servers are good enough to meet our demands to be fast. The email can be received quickly. Besides, is it not a great win if we just need to wait a few seconds for the link, than that we need to remember all those passwords and meet all those restrictions?
Passwordless accounts are safer than ones with a password. It won’t be necessary to reuse passwords anymore. There will be nothing for hackers to phish. You have no more difficult words to remember or to find that stupid paper. In brief, something I would enjoy.
I already mentioned it, but the experience. The experience is an important aspect for me as an interaction designer. How do users deal with login and register today? There is a big pain point. The chance of this being hit is strongly present. The reason, all those restrictions that the password needs to meet. Below I made a flow of how a user (can) act to login.
In the perfect situation, it is a short flow, which is great. Unfortunately, this isn’t the case on many occasions. The results of the Ponemon Institute say that 67% of people in the U.S. have been locked out of the minimum one account in 2012. That is ridiculously high. A flow without a password is much more user-friendly. It can help 67% to not forget their password and keeping them away from the flow of retrieving a new one.
Then we got the flow to login without a password. This flow is as long as the perfect flow of the one with a password. The only big difference, the part to retrieve a password isn’t needed and can be forgotten. I just wanted to be sure you get it, you will always have the perfect flow.
How does it work with registering? The same. You don’t have that long-form anymore, where you need to enter a load of information about yourself. The benefit here is that you can, if you wish, give as minimum information to achieve your goals. On some websites, you don’t want to add the information about who you are and where you live. What in other cases is just the thing that you want to add? You can control more what the internet knows of you. Maybe organizations will evolve their restrictions to access the content. But, you need to choose for yourself where the line is to give information for an article or to buy something.
A register way without a password safes time. When you live in Aruba and you want to register on a website from Europe, then there can be a problem. There is this one field that is required, but you don’t know it. It is the Zip Code. Yes, it is true, in Aruba, they don’t use zip codes. How to deal with it, you can’t, you need to skip this awesome article. That isn’t fair. Everyone needs to get access to awesome knowledge, right? Below I have made a flow of how users (can) register. Every register form is different, but I tried to make a straightforward one, that is mostly used.
Here again, it is a pain point that your password needs to meet restrictions. This is to secure them but results in reusing passwords that decrease the safety of passwords. Besides, you are forced to fill in fields about yourself to complete the registration. Using a magic link to register, is different as you can see below.
It is child play. Magic links also have their lesser features, it can be less user-friendly on some fronts. For example, when you log in multiple times daily, then it can be a pain in the ass.
But how many of you let your browser remember your password? Can’t this be done with a magic link, that lets you stay logged in for a few hours or days? Or is this unsafe? Well, if it is unsafe, I think that we need to think about the way we are handling this right now, with the situation that we have passwords. Besides, if you don’t want to wait for your link, do you want to type in your password over and over again? If you are not doing this, but let your browser remember it, why shouldn’t this be possible with a magic link?
It is hard, but it is good to think about it. As designers, we need to figure out what the perfect way is. Do we let users wait a few seconds for their link, and secure their safety with those few seconds? Besides that, do we allow them to stay logged in for a few hours or not? Or do we let them use their muscle memory and let them type their passwords? The last one has a catch. It will invite you more to reuse those passwords. All right, I keep repeating myself, and I think that my point is clear. I will say that the passwordless account is a good new way to try for us designers, especially when it comes to user experience.
Security comes hand in hand with online accounts. When you enter your information in an online profile, you want it to be safe. But, where is the line between security and laziness? When do we prefer to be lazy and risk our personal information and when do we want to do some more effort to be safer?
You are dodging those hackers for years. Phishing emails, malware, and other hacker attacks. Is the passwordless account really up against those attacks? These days it comes from every corner. Everyone warns not to react to emails with links to websites. Especially when it comes to log in through a link in your email.
Now there is this student, who is doing an internship, saying that this is the future? I know it sounds contradictory because experts are telling otherwise. The thing is, with phishing emails they want to get to your password to log in. They already have your email address, otherwise, they couldn’t send you that email. If you are using an account without a password, there is nothing to phish. The joke’s on them.
There is maybe still a thing to learn in the beginning. Didn’t you asked to log in, and you get an email with a login link, then don’t use it. It seems logic, still, people will click it. Will a website ask for a password, and you know you got a passwordless account, then don’t enter one.
Then there is your email account. This needs to be the toughest of them all. Every account is linked to your email account. Google is already busy with making it more secure with multiple-factor authentication. It needs to be a fortress. Once a hacker is inside, they have a free game. Let’s assume that hackers managed to get inside your email account. What to do with your passwordless accounts? Well, I’m afraid there is nothing to do, just change the password of your email account, or block your email account.
It sounds weird, but this is an edge case. It is hard, but not unthinkable that hackers can get inside your email account. The thing is, that there is not a difference between the accounts with or without a password. A password can be retrieved with some time and effort.
In brief, hackers can always get into your online account through your email account The accounts with a password and a personal question will be a bit tougher, but it is manageable. Accounts with or without a password are even strong when it comes to the case when your email account is hacked. Still, it is a rare case that your email address is hacked, these servers have a strong defense system, websites on the other hand often don’t.
How should we continue?
I am not claiming it needs to be the first thing tomorrow morning, but it is something to think about. Can we be more user-friendly and give the users more safety by taking the password away?
Of course, there will always be exceptions. I don’t think everything can be passwordless. For these exceptions, we need to make stronger authentications. Websites that belong to governments, where you are logged in as an identity, need to be super safe. The same for email accounts, when this is the place where all your accounts come together. Companies are already investing in better multi-factor authentications, it won’t take long before more accounts will use this extra security.
Think about it, a future without passwords. Is this time to introduce it next to the increasing safety of email accounts? Be better armed against phishing emails. Better user experience for everyone. On top of that, everyone, young and old ones, everywhere and anytime can log in and register to any website without breaking their minds. Doesn’t sound that as the ideal world?