Question, how many passwords do you remember?
Among all the services you registered for and created an account, do you remember any of the passwords used for every individual service? Do you remember the information you would use to login to those services? If you are like me, a human, the number of passwords you can remember would be between "a few" and "none". In other cases, it would be some absurd answer like using one password to secure all those accounts. But we will pretend that doesn't exist.
This points to a very opaque fact about humans and digital systems: we do not remember things easily. According to Hermann Ebbinghaus, brains lose information over time without reinforcement. We don’t go out our way to reinforce dozens of passwords to memory. The number of services we become part of doesn't help that fact either.
Humans are surprisingly stateless, just like computers, relying on brains to remember the important information. Without the brain remembering what we need to remember, we would be idling bodies without any purpose. I bring this up is because it is tied to my experience working with a product targeted towards the public. One recurring theme I was constantly dealing with was users creating multiple accounts. This created unique issues where all the information tied to a person was spread into multiple accounts.
We typically ran into users with 3 to 4 accounts registered, and having trouble finding the one they paid for. One case had a user creating 3 accounts in one afternoon period.
I tried multiple ways to combat this case, like limiting one phone number or email to one account, and requiring email addresses as necessary during registration. However, this led to other issues where users dropped off from the registration page when the registration failed due to missing required field. One user couldn't provide a working email to receive the verification link. I was naive to think users would not have an email address in the current digital age.
I kept thinking about the strange phenomenon, and I came to some insights.
1. Users forget quickly
We would reach out to users to try and diagnose where the problem was, and 3 out of 5 times users would forget the username they created for the account. It’s in our nature to forget things without having to constantly remind ourself. That would explain multiple social media accounts spreading over years.
2. The more the friction, the less the engagement.
Friction hinders progress. It’s a given that if a process has a lot of caveats and necessary steps in order to complete a task, the number of people who complete the steps will be less. It will be even less when the task isn't a need. A step through the registration required users to verify the email in order to continue, but the complaints came in as soon as it was implemented. I argued it was for security reasons but the client comes first.
OTP: A 6 digit alternative to static passwords.
OTPs or One Time Passwords are numbers or letters, typically 6 in number, sent to the user to authenticate a login attempt or a transaction attempts in the case of bank transactions. They were created typically to deal with the insecurity of a single static password, since the OTP was dynamically created and would expire after a set time.
The dynamic nature was what drew me towards OTPs since it wasn't dependent on the user remembering a password created on a past date. A user could create an account with the name and phone number or email and request a password from the service in order to access it. This removes a lot of the initial friction since users are typically required to remember one piece of information to access the service.
This had advantages to both users and the development team.
Users:
- One piece of information to remember (Email address or Phone number)
- No "Forgot Password" trap
- No duplicate accounts created using one number.
Developers:
- Limited dependency on a static password.
- Built-In Verification flow (The contact is controlled by the one who receives the OTP)
Conclusion
One thing I haven't pointed out is the assumption I had creating the authentication system. I had assumed since other systems followed the same flow, I would simply duplicate the flow, enter phone number and email address, create a password and click Register, and users would quickly adopt it.
I was Wrong.
Getting constant feedback that the typical flow was not working taught me that mental models cannot be duplicated. And just like this article, my conceived perception that OTPs will ease the authentication process might be placed on feeble assumptions. I am aware there are other far more impressive solutions like social authentication and Single Sign-On but they were not feasible on the codebase I was tasked on.
Despite being this far into our technological journey as humans, the authentication systems that are prevalent right now lead to some unique scenarios that may not typically ease the user's experience on the system and it is exacerbated by the explosive number of systems that require user authentication. Use of simpler, quicker processes to accurately determine the user may lead to much better authentication and I am on the path to find these processes.
Top comments (0)