Passwords are a pain in the *
The problem with passwords
Passwords. Users don’t like them. I don’t like them.
Tell me something. Is your password the date of your wedding anniversary? Is it your child’s date of birth? Is it your mama’s maiden name? Yes, I said your mama. Or better yet, is it the name of your favourite football team?
And do you have a really secure, long password with underscores, numbers and other keyboard symbols? How do you remember it? Store it on a Post-It note in your drawer?
Is this starting to sound familiar?
I’ll tell you something else. By looking at your Facebook profile or LinkedIn account, I could probably take a guess at when your anniversary is or when your child was born.
Another thing. How many times have you forgotten that super-long fancy-pants password? Perhaps you have shared it with your partner who has also forgotten it?
Passwords are a pain in the *
I work a lot on public websites.
And what do we ask users to do when they fill out a form on a public website and save that form for later? We ask them to create a username and password, right? We certainly don’t want any old Mo, Joe or Joanna Public getting access to the information on that form.
The smart folks across user research in government have carried out user testing on the issue of passwords. Guess what? Users also agree….
… passwords are a pain in the *.
Could we solve the problem of passwords with ‘magic’?
That’s ‘magic links’ to you and me.
Magic links is the name of the clickable link that’s created when a user registers for a service online.
The user provides their email address. The magic link is emailed to the user’s email address. To access the service online the user then just clicks on the magic link provided in their email.
Most of us have been through this process online. It looks like this:
We tested magic links with users on one of our websites recently and all was going well until…
we went live...
When some users clicked on the magic link for the very first time, the website returned a message telling the user their link had expired. Why?
What was even more strange was that this only happened to some users, not all.
And so we were stumped. What was going on?
Generating other options to avoid using passwords
We started looking at our other options for generating magic links so users could securely access websites, options that didn’t require users to remember a password.
We tried using codes instead of links. Send the user a code, user enters a code to access the website.
But we abandoned this option. Chris Taylor, Head of Interaction Design at the Home Office, pointed us to a GitHub issue raised by GDS that advised against this. It adds more of a burden to the user.
GDS sprinkles its ‘magic’
That’s when I posted our problem to Chris Hill-Scott, Designer, at GDS who wrote the ‘Identifying users’ guidance.
Chris explained why users were seeing a message telling them their magic link had expired even when it was the first time they had clicked on it:
Lots of things click links before you can. Email virus scanners might click links to check their content for malware. Instant messaging apps might click links to render previews.
‘Magic’ moment: the solution
That made sense to us.
Chris Long (so many Chris’s in government), Test Manager, of our team came up with a solution.
What if we were to enable the magic link to be used multiple times, but expire it only when the user takes the additional step of clicking on a Start button?
Chris Hill-Scott gave us the thumbs up to proceed with this approach. So we were able to send the user through a journey that looks like this:
- User clicks on a link in their email
- User receives a message stating ‘Almost there’ inviting the user to click on the green Start button (as in the diagram below)
- User clicks on the green Start button
- User is taken directly to the first page of the form on the public website.
And as if by magic, it worked.
So we found a solution that doesn’t require users to remember a password. Result, right?
Follow some history around this pattern on the gov.uk design system log.
Enjoyed the article? Join us!
I have fun at my job. I love building stuff and, best of all, breaking stuff. I sometimes fix things I break. Honest.
It’s also pretty cool new tech too: Open-source, Node.js, Google Puppeteer, Docker, Drone, Kubernetes, Amazon Web Services, PostgreSQL and Redis. I don’t just do dev, I do the DevOps too.
We also work collaboratively and in an agile way.
We don’t wear suits. You can if you want to, but I prefer t-shirts.
Here is our Home Office GitHub repo with plenty of opensource code.
We're setting high standards and we're building for the long term. Look out for new roles in our Manchester, Sheffield and Croydon Hubs.
Please visit Civil Service Jobs to see the DDaT jobs on offer at the Home Office. We’re advertising a number of positions including Developers, DevOps, Tech Leads, User Researchers, QAT Analysts, Service Architects and Test Engineers.
You may also be interested in:
Latest News from
Government plans to strengthen firearms laws for public safety26/11/2020 09:10:00
Consultation proposes new controls on air weapons, miniature rifle ranges, and high-powered firearms.
Lord Walney announced as independent adviser on political violence and disruption24/11/2020 11:10:00
Lord Walney will take on a new unpaid role as independent adviser on political violence and disruption.
Thousands more health workers to benefit from visa extensions20/11/2020 12:20:00
More than 6,000 frontline health workers will have their visas extended for a year for free, including doctors, nurses and paramedics.
Funding boost for rape and domestic abuse support19/11/2020 10:17:00
Ministers yesterday (18 November 2020) confirmed a major funding boost for victims of rape and domestic abuse as services face dealing with greater demand this winter.
Government leads national drive to protect victims of child abuse18/11/2020 11:10:00
New campaign to protect children launched as tougher restrictions come into effect.
Immigration Act receives Royal Assent: free movement to end on 31 December 202012/11/2020 11:10:00
The Immigration Act yesterday (Wednesday 11 November 2020) received Royal Assent and was signed into law.
Government closes antique firearms loopholes to protect public10/11/2020 11:10:00
The new measures target antique firearms used in violent crime and mean that up to 26,000 guns will now require firearms licences.
Chief Inspector of Borders and Immigration term extended04/11/2020 15:20:00
David Bolt agrees to extend his term as Chief Inspector.