It’s 2013. Why are we still in login hell?

So I get an email (yes, I subscribe to it)  from Ad Age pointing me to AT&T Ridding Some Retail Stores of Cash Register, Counters and Other Clutter ‘Warmer’ Shopping Experience Includes Orange Coloring, Wood Paneling, Demos, by John McDermott. I read it and decide to make a comment under it. I’ve done this before, so I don’t expect problems. I write it and go to log in. That gets me this:

Note that it says “Welcome back, Doc” under “Login with your Social Identity.” So I click on that, get to a page with a “Sign in with Twitter” button, click on the button and then find myself on this popover window:

Note that is says “we were unable to match the email address for your social network and AdAge.com accounts.” In fact I am logged in with Twitter, I receive emails from AdAge at the same address I have associated with Twitter, and I don’t feel like using a different “social identity.” So I fill the form out, and another little pink word balloon appears, truncated by the top of the window:

When I click on the “here,” it sends me back to the first login page. There I fill out what two different browsers (deep in the prefs, where they keep this info) tell me is my login/password for AdAge.com. Then I get this:

I think, wtf is that error doing over on the social side of this thing? Can’t think of an answer, so I click on “Forgot UserID/Password” enter my email address twice, as it requires, and get promised an email that will recall my login details.

Many minutes later I get an email confirming my email address. Alas the password is a different link. So go to I click on that. (Using the present tense because I am doing this in real time.) But the session is lost. So I click on another link, go to an unwanted place at AdAge, click on the back button, and get this:

Click on “less” and I get this:

Click on “more” and I get the less thing again. Anyway, a dead end.

So now I go back to https://adage.com/register, and start entering the fields again. This time I get a red pop-out balloon that says “This address is already taken. Forgot your password?” So I click on the link and get to a window where I have to enter my email address again. I do that and it tells me “Your password has been sent to your e-mail address”. It’s now 10:22. I first saved a draft of this post at 9:07. I’ve been doing other things (e.g. making breakfast and coffee), but you can see this is taking awhile.

Okay, so now I have the email, which tells me my password. It’s one I don’t recognize at all. I’m guessing it’s a new one. So I go back to a login page, enter my email address and the password they gave me and: voila! I’m logged in. It is now 10:29.

And now, at 10:36, I’ve finished putting up my comment, which I’ve expanded into this post at Customer Commons. Meanwhile, back to the title of this one. Why are we still in login hell?

The answer is simple: we’ve given all responsibility for relationship to the server and left the client as a purely dependent variable. While the formal name for this model is client-server, I prefer calf-cow:

The sites are the servers, and our browsers are the clients, suckling the servers’ teats for the milk of “content” and cookies to keep track of us.

This blows.

It has blown for eighteen years.

The server side can’t fix it, as long as relationship is entirely their responsibility. What we get from that are:

  1. Awful gauntlets such as the one I just went through — and kluges such as “social login“, by which we trade security for convenience. Especially with Facebook. (The only reason I attempted to use Twitter in this case was that AdAge appeared to remember me that way. Turns out it barely remembered me at all.)
  2. Different kluges with every single website and Web service, each a silo. All of those silos think they get “scale” with their thousands or millions of users and customers. But you get the opposite, and it only gets worse with every site you add to your roster of logins and passwords.
  3. Huge burdens on servers and personnel who need to create and manage easily-broken systems such as AdAge’s.

We can only fix this thing from the client side. It’s simple as that. We’re the ones that need scale. We’re the ones that need our own simple and singular ways of relating to others on the Web and the Net.

Hint: we won’t be able to do it through any silo’d service. We can prototype with those, but they are not the full answer. They just answer the silo problem with yet another silo.

Working one angle toward this simple goal-state (which, after all these years in the calf-cow corral, looks like nirvana) are Abine, Dashlane, MySocialCloud and Privowny, each of which provide ways not only to manage many passwords and logins, but (in some cases) to generate unique email addresses and passwords for different sites, if you like. Far as I know, all of them are also substitutable, meaning that you can pull all your data out and use it for yourself or with another service. (Many other companies offering related services are also listed here among VRM developers.)

But, hey: if we’re leaving the corral,why should we need logins and passwords at all? If you and a site or service truly know each other, why should you both go through the rigamarole of logging in all the time?

There are a zillion good security answers to that question, but  they are all coming from inside the same box (or corral) we’ve been in for the duration.

It’s time to think and work outside that box.

 

8 comments

  1. David Kearns’s avatar

    Risk-based Access Control (RiskBAC):
    Context sensitive authentication with
    risk-factored authorization.


    The Future of Authentication and Authorization

  2. Don Marti’s avatar

    Mozilla Persona is full of win.

    https://login.persona.org/about

    Especially compared to “social login.”

    Why? “the BrowserID protocol never leaks tracking information back to the Identity Provider.”

    https://developer.mozilla.org/en-US/docs/Mozilla/Persona/FAQ

    So you can use your @example.com email addres to log in to whatever sites you like, and example.com never knows which ones.

    If your site login method is based on “let’s make users remember complex strings of text, which we know people are really bad at” or “let’s depend on having our users tracked by big companies, which we know people hate” you need a hacking break–make a simple web application that uses Mozilla Persona, learn how awesome it is, and never go back.

  3. Michael Eager’s avatar

    Same thing happened to me with emmbedded.com, except the password reminder email never arrived. Twice. I know folks at embedded, so I sent a request to have my password reset. Got a prompt reply, but nothing happened. Next day repeated request. Finally able to login.

    Seems everyone thinks this social sign on is a good idea, but I’m not seeing it work anywhere.

  4. Nithin Upendran’s avatar

    The pic of those cows looks fantastic and the edited part of the pic is correctly matched to the content of the blog!

  5. Alan’s avatar

    This is unconscionable, and a waste of time. We are channeled into this narrowing alleyway of noisy vendors hawking their wares. No escape. Like the ebooks at the public library, that can only be checked out to one person at a time. Even the free books, to even find them is a daunting prospect. Use Linux, and you pay the time tax even more painfully.

    I just had a conversation this week about libraries with an elder scholar, who bemoans the death of academic libraries. She was frustrated in her efforts to download an academic paper to her ebook—even though, for sure, she had all the right connections and passwords.

    Try government websites. The government has been purchased by the Proprietary $OFTware industry. Pervading every corner of our world.

    ” Where’s your credit card?”

    You have provided an awesome example. I don’t get this far in the conversation with the server. I have a low pain tolerance..

Comments are now closed.