UX Challenge: Re-Imagine Password Authentication System


#1

Preface: Every time I have to login into a website that asks me a password, I cringe. Password seems so primitive. Why do I have to remember hundred different passwords to hundred different websites? Why can’t I simply login to the website. If I am on a website, it should simply have a button on it that says, “Login”. The website should figure out if it’s my first time, or I am already registered. We need to re-imagine the security, access, and experience of on-boarding to a website that doesn’t require passwords.

Problem: Websites/Apps still use passwords as a login method that puts the onus on the user to remember the passwords.

Challenge: Design a system that uses a different authentication method not requiring users to remember hundred different passwords.

Please do no use Third party authentication, Password tools, etc. Re-Imagine the authentication.

[Image Credit: https://www.macrumors.com/2017/12/19/worst-passwords-2017/]


#2

Solution: All websites can just rely on OTP (One time passwords) authentication. Here is the UX:

  1. Websites/Apps don’t need username/emails to login.
  2. Each website/app can have a phone number text box at the home page
  3. As the user enters the phone number, they will get an OTP code.
  4. On entering the OTP code, the user will be logged in to their account.
  5. Users can complete their email address/usernames/profile once they enter.

To avoid unauthorized access because of stolen phones, users can enter a simple passphrase in the beginning of the OTP. The system needs to separate the OTP from the passphrase. If it’s the first time user is logging into the system, the service needs to remember the passphrase for subsequent logins.
E.g.

  1. First time user login: Enters the phone number.
  2. The user receives the OTP: 456789.
  3. User enters xYZxkcd456789.
  4. System extracts and stores xYZxkcd as the passphrase for future logins with the same phone number and authenticates the OTP.
  5. Any subsequent login attempt with OTP needs to be prefixed with the same passphrase.
  6. Passphrase can be changed after logging into the system.

#3

The user still needs to remember a passphrase. If the user changes the passphrase for one website, they need to change it on all other websites. It will still be a lot of pain if users have to do that.


#4

I agree. Do you have any suggestions in mind how we can tackle this?