Reinventing the Experience of Authentication
The US Nuclear Weapon Launch System, Chrissy Teigen’s Twitter account and your home’s smart devices, all have one thing in common: a key of characters and digits that authenticate proper access.
Access to privileged information and services are left guarded by various alphanumeric keys, usually the only gatekeeper for our entire digital lives — social media to finances.
When the stakes are so high, the measures of security to guard access should be too.
We Rely a Lot on Passwords
With numerous services’ passwords to keep track of, all of increasing complexity, remembering and trying passwords for services is the origination of poor user experiences for logging into work and personal services.
The average office worker in the US, for example, must keep track of between 20 to 40 different username and password combinations, with the average US person maintaining login information to 27 different online services.
It forces us to keep track of all our passwords on paper or on our phone — defeating the purpose — or requires constant resetting and reusing. And we’re really bad at maintaining our security.
Bad Password and Password Systems Cost a Lot
Verizon’s Data Breach Investigations Report in 2019 revealed that 80% of hacking-related breaches still involve compromised credentials: poor and reused passwords.
And 29% of all breaches, regardless of attack type, involved the use of stolen credentials, with the average cost of a data breach in the US being over $7mm.
Edward Snowden and Kevin Mitnick, both expert hackers, have made it clear that passwords (bad and good) are the easiest point of breach into a system.
And for employees calling help desks to reset passwords 6–10 times a year costing $40–50 each time, it results in hundreds of thousands or millions of dollars in business expenses.
A former Microsoft executive told CNN in 2018, that Microsoft helping change people’s cost over $2 million dollars a month in help desk calls.
Attempts at Increased Security = Degrading Experiences
Trying to increase security, so far, is a zero-sum game with a great experience of a process. Easiness is compromised and is justified by good security.
Physical security keys, 2-factor authentication, biometrics, complex and select character and phrase requirements, and the need to constantly change passwords for systems all decrease the chances of exposure in a data breach.
The process, in no scenario, provides a great user experience.
The lack of a good experience extends for any transaction of information that grants access to privileged details or services.
Your credit card number is another big one, especially as global e-commerce volume is predicted to increase from $3.1 trillion in 2018 to $5.8 trillion in 2024.
Reinventing Authentication
People aren’t good at using passwords, but we’re focusing on the wrong problem; we shouldn’t have to keep track of ways to authenticate ourselves. The whole system is designed poorly, putting the onus of trust and dependency on humans.
There are numerous core technologies that can help change how companies and users treat authentication.
The take should be to completely rethink of the system from scratch. Let’s get rid of passwords as a whole!
The Case for Passwordless
A good parallel for comparison exists in driving cars: Humans cause >90% of motor-vehicle crashes, and the point of self-driving cars is to remove the human from the process, theoretically eliminating all error.
The core idea of authentication is to provide the right user access to the right service and information. So substitutes of passwords have been tried as well.
Instead of using something the user ‘knows’ as a means of gaining entry, like conventional keys, or what a user ‘has’, like a code texted to your phone as a secondary password, companies have been trying to use ‘who you are’.
Apple’s Face and Touch ID and Google’s Titan (a USB-like key with a fingerprint sensor) are great ways for authentication. But all of them require more layers of process, creating more pain points, and sources of error.
Magic Links
The idea of some sort of token for authentication — a password substitute — still fosters the same risks and friction in user experience.
A great argument for reinventing the process experience is eliminating the need for a user-provided token for authentication.
When a user wants to log in, a better experience is to deliver a link to authenticate the right user to the right account that logs in at a click. That link is delivered to a verified and safe destination, like an email.
The ‘magic’ link approves a user that clicks it, to access a pre-determined user account or piece of information if used within a short time frame. Sometimes, access is also restricted by the location of the user.
As long as the integrity of the core system is intact, there needs to be no token or key the user needs to provide.
Slack uses magic links delivered to a user’s email to give access to an account. The same can be used for bank systems, social media accounts and even systems at work.
At checkouts, credit card and shipping information can be prompted and auto-filled using email and SMS as a means of safe delivery of an authenticated access.
Tokenization of Access
Security tokens are a digital representation authenticated access to a service or information and are essentially virtually and purpose-created ‘passwords’ by a system provided to a user in a verified way.
Shopify Pay uses SMS to pair a customer’s credit card and shipping information with a checkout instance, verified by a code needed to be entered at checkout.
Can the process become smoother? Absolutely; a link sent to email instead of a code via SMS can be used to push the intended transaction to completion with pre-determined details without needing to substitute for entering details into a traditional payment form.
Types of Web Tokens
Web Tokens work with a server generating a token that certifies the user identity and sends it to the client. The client will send the token back to the server for every subsequent request, so the server knows the request comes from a particular identity.
JSON Web Tokens (JWT), have a structure involving a serialized form, used to transfer data through the network with each request and response and a deserialized form used to read and write data to the token.
PASETOs allows you to take JSON data and condense it into a single token that can be easily shared over the internet in a tamper-proof way. They are comprised of three parts, explaining key version, purpose (local or public), and the actual payload containing the JSON data being transacted.
Alternatives like Branca and Macaroons also exist to power web tokens for magic links.
With consumer online payments, web traffic, and the number of joined services per given internet user growing exponentially, the risk and need for secure and easy-to-use methods of validating access is increasing just as much.
