Do you feel like you’re constantly having to sign in Again to sites that you use regularly? Your angst has been noticed, and the powers that be are working on a solution.
My Google password is mXNkQ3/Dy?Pg. (Or it was, anyway, until I published it for everyone to see.) I’ve had to type that nonsensical string so often I memorized the darn thing. It seems like every time I click a link, download an app or unlock my phone, I’m forced to log in to my account all over again.
The internet has an identity problem. It has never had a simple, universal system for figuring out who we are. As a result, we’re stuck with separate usernames and passwords for every site and app we use—no, I’m not touching that Sign In With Facebook button—and perpetually re-entering them to prove we’re still ourselves. It’s mildly annoying on our laptops, where we have dedicated keyboards. It’s a bigger pain on our smaller phones, and it’ll be near impossible on the smart machines we’ll have going forward. Imagine typing a 16-digit code every time you start your car.
The good news is, everyone knows this is a problem. The tech industry has spent years working on ways for the internet to recognize you, and real solutions are starting to come to market. The bad news? It isn’t an overnight fix.
Login trouble has many causes, but it tends to be a two-part issue: how a website or service is set up, and how we now behave on the internet.
Whenever you enter your username and password, the app or site opens a “session,” quickly compiling relevant data to your account and connecting you to the servers and tools you need. That creates a security risk: If your session is still open and another person on the same computer goes to the same site, he or she could have access to all your stuff. As a result, most developers set an end date for your session, automatically closing your connection to the site or app after a specified amount of time. This security risk is also why you have to confirm your identity when changing account settings or shipping purchases to new addresses.
To illustrate, let’s look at our own wsj.com. Years ago, the developers building The Wall Street Journal’s website decided that sessions should expire after 15 days, said Ramin Beheshti, chief product and technology officer at the Journal’s publisher, Dow Jones. That meant twice a month, you’d re-enter your password, so the Journal could make sure it was you and not some account thief sitting at your computer.
Every app and service has its own version of this rule. Dashlane, the password manager, requests your password every 14 days. Evernote will keep you logged in for 30 before kicking you back out. Okta, which gives users access to multiple work apps through a single login, lets its corporate customers decide how often employees must cough up a password.
When you only had one computer, entering passwords every few weeks didn’t feel so arduous. Now you have laptops and phones and tablets and maybe even smart TVs, all logged in to the same things, each demanding a bi-weekly re-up.
And it gets worse. Each device now has multiple browsers and apps—and nowhere is it more chaotic than on our beloved smartphones. If you check sports scores on an app, you have one login, if you do the same on the Safari or Chrome browser, that’s another. If you click a link on Twitter , or someone emails it to your Gmail account, those apps have their own browsers, and you have to log in through each one. It starts to feel like a constant nag.
On an iPhone, each browser is entirely separate from and unaware of the others. And some in-app browsers require you to log in every time, because they don’t carry any session baggage from one use to the next. Android does a better job of helping those apps talk to each other.
This is me
Nobody likes passwords—not even the services that ask for them. “The only people who love usernames and passwords are hackers,” said Alex Simons, corporate vice president at Microsoft’s identity division.
Over the past few years, most big tech players have collaborated to develop standards for managing identity on the internet. Most recently, the World Wide Web Consortium ratified a standard called WebAuthN, which allows websites to authenticate users with biometric information, or physical objects like security keys, and skip the whole password thing altogether. You could log into Facebook or Gmail or Amazon just by scanning your fingerprint, or with a facial-recognition scan. Imagine logging into everything the way you currently log into your phone.
All that’s left is for every app, device and website to integrate these new standards. Which is going to take years. In the meantime, there are a couple of ways to make your logging-in life easier.