Redesigning Password UX: What's the Best Solution?

August 9, 2017
Redesigning Password UX: What's the Best Solution?

Passwords suck. They obviously help to keep our accounts secure from hackers (or snooping friends and family), but in an ideal world we wouldn't need to use them. Passwords are yet another extra hurdle keeping us from logging into the websites and apps we want to use, so for that reason — they suck.

Passwords aren't even that secure nowadays, so combined with the fact that they hinder the user experience in so many different ways (which I'll discuss throughout the article), it's definitely time we talk about what the alternatives are.

Passwords Generally Aren't Secure

Passwords aren't secure for many reasons. Firstly, if you're tricked into giving your credentials away (also known as a phishing scam) and you don't act quickly, you're pretty much screwed. You've potentially lost ownership of your account right there, if there are no other security measures activated.

And then there's brute-force hacking, which is when hackers use high-end computers to try every password imaginable until one works. Historically you'd need a supercomputer for this, but nowadays a high-spec computer will do fine, especially when many users still choose "password" as their password.

You can combat brute-force hacking by choosing complex passwords (i.e. combinations of lowercase, uppercase, numbers and special characters, and a "strength-meter" for additional clarity), and most apps and websites will try to block brute force attempts on their end, but the fact remains that brute force hacking can result in your account being temporarily blocked, and it's a safe bet that the user will be required to choose a complex, hard-to-remember password.

Let's also try not to forget that you should really choose a different password for each app or website, so that should a hacker unfortunately infiltrate your account, they don't necessarily have access to all of your other accounts.

Just doesn't seem worth it, doesn't? Let's take a look at two-factor authentication, the so-called solution to all of this, and whether or not it's working.

But is Two-Factor Auth Really the Answer?

Wait, what is two-factor authentication?

Okay, well, many large apps and websites, most notably social networking sites like Facebook and Twitter, allow you to activate two-factor authentication. It's not the default setting, and this fact alone shows us that two-factor isn't the ideal solution. What two-factor authentication does, is send a code to you via SMS or email (SMS is more secure, though). You then enter this code, along with your password of course, and this essentially confirms that your login is authentic (assuming that you haven't been robbed in the last 30 minutes).

Illustration depicting two-factor authentication

Sounds ideal, but here are the drawbacks:

If you don't have internet on your mobile device, or you're abroad, or your mobile battery is dead, you're a little bit stuck. Also, if you use two-factor authentication with a variety of different services, it's going to become annoying quickly.

If users don't understand the value of two-factor auth, which most won't until something really bad happens, it's going to seem like more hassle than it's worth.

Passwords on Mobile

Okay, back to mobile.

Mobile users take twice as long to type their credentials compared to when typing them on desktop. Device keyboards are annoying, so that's not really surprising.

Passwords are looking more and more unfavourable by the minute.

Consider this scenario:


"Password must include at least 1 upperchase character"


"Password must include at least 1 number"


"Password must include at least one special character"


"Password cannot contain ~"


Now this would be frustrating even as a desktop experience, so on a mobile device you'd almost certainly give up, hit the back button, and buy from somewhere else (if you haven't thrown your computer across the room).

Fingerprint Sensor: Possible Solution?

Let's take a look at some of the ways that designers and developers are coming up with modernised ways to solve this. The first thing that comes to mind is Touch ID for Apple devices, which is where you'd log in using a biometric fingerprint sensor. I mean, what are the chances of somebody stealing your fingerprints?

It's easy, and it's secure. But are we lacking the technology?

Apple hasn't delivered the Touch ID technology to third-parties yet (well, not unless the web/app integrates with Apple Pay, or you're using a hacky solution like 1Password, which makes use of the fingerprint scanner on mobile). Samsung has brought their fingerprint technology to the web, so the concept is definitely taking off and we can expect this to become the norm…but it'll take time.

We're relying on the device manufacturers themselves to introduce this technology, so that developers can implement it.

Biometric Solutions?

I'm talking heart rate and iris scanning!

Windows have introduced a solution that also scans for biometric data (the fingerprint as mentioned above, the iris of the eye, facial recognition and more). It's called Windows Hello, and it works with the Surface Book, Surface Pro 4, and any device that uses fingerprint scanning. Iris-scan only works with a couple of devices so far, one being the Nokia Lumia 950, so like with fingerprints, we still have a way to go before biometrics become mainstream in mobile/desktop UX.

Another (admittedly somewhat crazy, but kind of brilliant) idea is to combine wearable technology with security to detect the user's unique heartbeat signature. While fingerprint scanning is by far the best solution right now, because of its widespread integration in modern technology, it's clear that we're beginning to move away from the traditional username/password method of security.


Let's move towards fingerprint sensors!