User Experience Asked by Briana on December 23, 2021
As far as I’ve read, passwordless login like Slack uses (user inputs their email and then clicks on the login link in their email) is becoming more common and is just as secure as logins that require a password.
I am a designer at a financial technology company whose users skew older. Perhaps this type of login will feel unfamiliar to them (and thus untrustworthy) or too easy, like some secure step is missing. Has any research been done on the perceived security of this flow?
Depends to the sign-in flow design, I would argue magic-link style passwordless sign-in would be more secure than traditional username/password sign-in.
In magic-link style of authentication approach, to compromise one's login access to your web application, adversary will need to compromise victim's email account access to the extent that he can read the email from victim's at the time he going to sign-in your web application. It causes more trails and mail alert, which is harder to cover up, and victim will notices about that easier, hence more difficult to success.
However, in username/password authentication approach, adversary is possible to compromise the access totally unnoticed by user, since the adversary may bought the database dump from dark web containing the password and crack it offline. Hence it is possible that adversary can use the cracked password the login the web application without any notice to the user, and additional countermeasures will need to implement to improve the situation (e.g. a follow up email to user that he's logged in the web application).
Answered by Angus on December 23, 2021
I work on security products for many years. The current product I'm working on, (mobile app to secure employees' data), uses exactly that.
In the last ~5 years that the product exists, we never heard a claim from end-users (banks, healthcare, insurance, medical) or admins, that the authentication method is not safe enough. Not sure what it says about your specific users and product though - decide yourself.
What you should not decide by yourself and be responsible for, is what authentication method to use. There are different considerations to that. Always consult a security expert.
Answered by Omri on December 23, 2021
Passwordless authentication is quite likely more secure than a standard password; people have little patience with traditional username/pw security, and it's almost a 2-factor authentication process. The easier for the end user your security protocols are, the more secure the authentication process is (password123 anyone?).
So...I don't know of extant research in perception, specifically, but it would be a fantastic usability test to run with your users/target audiences. Since you're working for a financial institution they have the resources to run a test on this. Or to let you do the same!
I'd love to hear if y'all do run this kind of test - it'd be great to share with the community. And quite possibly an industry-first customer experience upgrade. There's a lot of benefit to this approach IMO.
Answered by Mia168 on December 23, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP