Deliverable authentication as a useful pattern
Hiya,
I read this article about the "email is authentication" pattern and recognized myself.
There are a certain class of low value accounts for which possession of my email address is secure enough for me. Note that this also applies to any other login identifier that is verifiable via a message; the primary other scenario is using a phone number intead of an email address.
Characteristics of these accounts include:
I use it very occasionally, or even just plan on one-time use
I’m not concerned about account takeover because of the type application or the data it holds
I'm forced to create an account because there is “use anonymously” or “use as a guest” option
the deliverable authentication/email account reset choice is preferable to other options available, because I don't want to tie the account to a social provider
I'm on a device without access to my password manager, which means setting up a real account with a random password is a hassle
I'm not a power user with a deep affiliation or understanding of the app but do want access to whatever data or functionality the app offers
I can leverage an existing account that can be delivered to
One example of this is a restaurant website I use to buy burritos occasionally. I end up resetting the password every time I use the site because I can't be bothered to set up a real password, primarily access it on my phone, and don't have the option to login any other way. While the account does have a saved credit card, I rely on the ability to file a chargeback to protect myself from account takeover. And I don't know if anyone is a true power user of a burrito purchase website :).
These types of accounts would be better off not forcing users to go through the forgot password process, and just allowing magic links or one time login via a delivered code (an OTP). However, I imagine it is a bit humbling to offer a low-commitment login method if you've spent time and money building an application. After all, the burrito company probably thinks their website is pretty awesome.
But it is better to meet your users where they are at, especially if the implementation and maintenance cost is low. Removing friction from application access is almost always a good thing.
Do you have any sites that are "email as authentication"? Did I miss any common characteristics of such sites?
Cheers,
Dan