Paul McAleer

The Curse of the Login Form

Paul McAleer

Logins act as a rigid barrier, preventing users from doing what they want or need to do. It’s high time we seriously reconsider the entire act of logging in to the point of eradicating login forms.

Login forms tend to answer one question: “Who are you?” We may not be interested in what a user wants or needs to do; we just want to be sure that we have the right person on the other side of the screen. Unfortunately there’s a lot of cruft which goes with logging in: username restrictions, password restrictions, account creation and setup, password recovery, captchas… it’s a long and unfortunate list. With recent advances in UX and the marketplace, however, I’m hopeful that login forms will be tomorrow’s tape drives. (Ask your parents.)

Facebook, in particular, is doing some interesting work in this space. Their concept of single sign-on - not unique, but new to a widely-used social networking/app platform - is a very good one. There’s already a wide swath of apps and websites which seamlessly integrate with Facebook, but their new mobile-focused strategy has won me over. The best aspect of their plan is the elimination of logging in altogether via smartphone. Consider this: a smartphone already knows who you are, where you are, and what app or website you’re looking at. It might even be able to see and hear via camera and mic. So forcing a user to say, “Yes, this is me and I’m here” certainly seems to be redundant in a majority of circumstances. The greatest password is one’s identity.

Eliminating the login form gets really interesting when you bring e-commerce into the mix. An accepted practice is a required login prior to finalizing a purchase. This echoes the old practice of looking at one’s ID when buying something via check or, in some instances, credit. But offline, things have changed: most stores never check one’s ID and there’s a huge element of trust there. Should we reconsider that for e-commerce too? If you’ve logged in to Facebook, Facebook can verify that you’re you. Couple that with one’s financial information, and now we’re at the point where a login feels less of a requirement and more of a throwback.

Removing a login form in lieu of a Facebook account shifts the burden of identity verification to a much different point in the process, one where it might not get in the way of conversion.

There are two key problems I see with the removal of login forms. The first is trust: would you trust Facebook with your credit card information? Checking account number? You might not, given their middling track record when it comes to traditional privacy. In the event that you’re not comfortable with that idea, how about Facebook’s own currency? There’s still the requirement that non-Facebook currency is used at some point in the process but it - like the Facebook account requirement - is pushed so far upstream that it nearly doesn’t matter. Facebook has its own economy. Adding the ability to purchase physical goods would be a logical move.

My other main concern is about identity theft. As we migrate farther and farther down the path of tying devices to people, it becomes potentially trivial to hijack one’s identity. But I’m confident that this can be solved in a lightweight, technological way which doesn’t intrude on users. Your smartphone has a camera and GPS, so let’s leverage that. It’s not an easy problem to solve and this is simply one idea, but I think we can get there without leaning back on usernames and passwords.

At this point, there are very few companies or organizations with the reach to eradicate login forms. For better or worse, Facebook is one of them. If they don’t succeed, I hope someone will.