Existing authentication methods suck
If you’re a software developer, product manager, UX designer or just a person that has any kind of website account then you’ll almost certainly agree with me that signing up online is a shitty experience. Clicking email confirmation links is a chore. Remembering passwords is painful and insecure. Using password managers is risky. It’s all just so… ancient.
Introducing a better way
I had insomnia last week so I got my laptop and starting messing around and ended up building a prototype for something to replace all of the above hell. The prototype was a way for people to register and login by uploading an image from their devices.
(It’s not pretty and it’s not mobile-friendly, and it doesn’t do much. It’s just a simple demo that might take a while to load because it’s running on a free service)
How would that work?
Imagine replacing your current sign up form from your registration page with a form asking only for the person’s name or username. When they click register your app will save their account and add a unique hash (kind of like saving a password hash).
Your new user will then be presented with an image generated from that hash that they can download and use to login in future.
A request will be made to the server to find the user and then you can authenticate them and create a session for them.
Is it secure?
In the protocol I built, the app generates a 600 character string as a unique hash. This is actually a concatenation of 100 hex color values (without the # symbol). These colors are sampled from an array of 25 colors in a triadic color scheme. The color scheme is simply so that the generated image has some semblence of a theme, any colors can be used.
100 colors from a sample of 25 means the amount of permutations exceeds (if I did my napkin maths correctly) the amount of atoms in the known universe. Nobody is going to replicate your unique image hash.
But what if someone steals your image?
That’s always a possibility. Or maybe even an inevitability. You could store your “PavEasy image” in a password-protected app on your device but that just introduces another 3rd party dependency. As a developer, you could treat the image as an identity and require a PIN code that serves as the password.
For higher entropy you could even require a PIN comprised of 3 emojis instead of digits - that decreases the chances of an image thief guessing correctly almost down to zero. You could ask your users to also provide an email address and send them notifications that their existing PavEasy images have been revoked if a PIN is incorrectly combined with an upload of their image.
It’s about the experience
Adding PIN codes and asking users for their email addresses sounds a lot like this new protocol would be redundant. But the point isn’t to invent something that magically replaces the hardened protocols invented by super smart people in the past. It’s to introduce an effortless and user-friendly way for people to sign up and login to your services in an alternative way.
User acquisition goes up when friction goes down. Millenials love convenience. You want to be protected from account hacking. This protocol addresses all of these issues.
Of all the authentication methods that currently exist, I think currently Slack has the best user experience. If you want to sign into Slack on your phone you can request a magic link to be delivered to you via email. When you click that link you’ll be signed in automagically.
But even this method has a drawback - you need an email client on your phone.
I know, that sounds like a stupid argument but there are people that opt out from either having email clients on their phones or from having their work email accounts active on their phones.
I’m not a designer so for the prototype I just figured out how to render 100 circles onto a grid of 10x10. The initial idea was to blur them so they look like this:
That’s not as sexy as I imagined it to be, plus I couldn’t figure out how to save an image from the Canvas element with the blur filter applied to the downloadable file.
BUT my point is…
…that this ugly image isn’t even necessary for this protocol to work. There’s no reason why upon registration you can’t ask your users to upload ANY of their own images from their photo library. The same pixel-reading code can simply scan the pixels at the same coordinates for any image.
Hell, as a user you’d even be able to use your favorite cat photo, meme or even porn image as your authentication ID.
As a developer you’d also be able to generate a random array of coordinates to scan - but I can’t imagine how that would increase security?
What’s with the name?
PavEasy = Passwordless Account Verification made Easy
What are the benefits to PavEasy?
It’s so frictionless. No typing, no remembering passwords. No reliance on 3rd party password managers that are at risk of themselves being hacked. It’s completely mobile and cross-device friendly. It’s easier to implement than OAuth and acts as an alternative for people that don’t trust the dark patterns and unethical practices of companies like Facebook, Twitter and LinkedIn.
What are the drawbacks?
It’s a mission to save the same image on both your phone and your computer. But this might not even be necessary. Once logged into a site on your mobile device, you could request a short-lived PIN that you’d be able to enter using a secondary device (like your computer). This could work similarly to how the Google Authenticator app works.
Is that it?
Yep, short and sweet.
Hit me up on Twitter (link in footer) with some feedback.