Sent You a Link
It’s time to go log in to the website to do the thing. You enter your email address, and are told: Check your email for a link. You go and check your email, but nothing’s there. Meanwhile you notice an email about “new secure message” from your tax preparer/doctor/etc, and decide to deal with that in the meantime, because you have been expecting it and perhaps it’s important.
When you’re done, it takes some effort, but you recall you were trying to log into the website to do the thing. There’s still no email from them. You figure, huh that’s odd, and check your spam folder, and there it is, amidst claims that customs is holding your package and please send some bitcoin to Russia, that the crypto funds you don’t have need your wallet to be verified, that you spent $700 copy of Norton Antivirus, and an email that appears to be from yourself but is really a sextoriton scam (I really did hack you because this email is from you! … yeah it’s really a shame that spoofing headers is a feature of email and not a bug).
Because you’re careful about links in email (sigh), you check the link to make sure it’s legit by copying and pasting it to a text file, then open it. It turns out the link expired five minutes after it was sent. You go ahead and have them send you a new link, but your doctor/tax preparer/etc sent you a “new secure message” and off you go on another side quest, and the process repeats.
Whatever the excuse, the “login via email link” pattern that’s become increasingly prevalent has a few fundamental problems:
-
Email is not a real-time medium, and delivery problems can be expected to take days to resolve
-
Email is an inherently insecure medium; not only is it unencrypted plaintext by default, it is also subject to hijacking and rogue sysadmins
-
Links in emails are inherently untrustworthy and this pattern forces people to trust them
-
Sending email is a game of reputation, not just in terms of deliverability as the term so often is used for, but also in the minds of the people receiving your emails
This pattern is a streamlined version of reset your password to login; I know people who do this, and for all intents and purposes, defaulting to emailing people a login link just removes a few steps and the pretense of having a password from the picture entirely. Perhaps the best defense of this pattern I’ve seen is why 404 Media doesn’t want your password, and I will defer any defense of the pattern to them:
But you know what’s the safest way for us to keep your password safe? Not asking for one to begin with. By not creating a password with us you have no risk of it leaking, and we don’t have to deal with the responsibility of keeping it secure.
They even pointed out some downsides to this pattern I hadn’t thought of:
They open up the Gmail app, click the “Sign in to 404 Media” button, and their phone loads the webpage. But this is loading the website in Gmail’s web browser, not your native Safari one. People then navigate the site as they would normally in their default browser, and are surprised when they are not logged in. These two browsers are not sharing any cookies or log in sessions.
Maybe this pattern works for some people; but many people — including myself — hate it with a passion, presumably why 404 Media felt it necessary to defend, even though in their case it’s compounded on top of Tease the Preview. Lest you dismiss my critique of the pattern as “who cares about a single news site?” or think I’m picking on them (I otherwise adore them), I have seen this pattern in use in systems from developer infrastructure hosting to personal finance, and more famously it’s now the default on Slack.
In addition to the problems listed above (I have found 404 Media’s sign in emails betwixt crypto phishing and sextortion attempts in my spam folder), as I wrote in Check Your Messages:
With regard to attention contexts, as a person with ADHD this is something I pay keen interest to when thinking about interaction design. Email management is generally considered a hard problem, text messages are often overwhelming, and as with Open a Window, you are contributing to the problem by using these methods. Especially for people with ADHD.
I’m not the best at keeping on top of managing my email (though I’m better than some others, but a rudimentary search showed I had about two dozen of these messages which I had archived instead of deleted, despite an effort to intentionally delete transitory messages. Since I find this pattern so annoying, I noticed that I’ve sadly started reading fewer things at 404 Media that require one to be logged in (they keep forgetting my device), have all but given up on community Slacks, and am migrating off a service provider that switched to the pattern. So it goes.
This pattern also assumes that you have access to your email on the same device that you are visiting the site with. I tried not having email on my phone once; it lasted about three days, mostly for this reason.
If I try to log in and you tell me to check my email, don’t be surprised if I don’t come back. Or if someone else comes back in my stead. Please just let me set and use a password.