Essays draft
This is a work in progress and is not officially published yet.

series: Login Bingo

by Matthew Lyon

It’s time to log in to the system to do the thing. After entering your credentials, you’re prompted to “approve this login in the app”. This has never happened with this particular system before. You don’t see an obvious way to bypass this for the traditional multifactor authentication challenge you’ve used before… oh wait, there it is, in low-contrast nine point type: “try another way”.

Maybe you keep your phone in the other room to help prevent distractions. Maybe you haven’t installed their app yet, or maybe you did install it a while ago, but deleted it, either to help with focus or security. Maybe the app related to this system has no way to approve the login if you’ve disabled push notifications.

Maybe you didn’t expect this app to be used in an "approve my login" context and your kid just approved your login.

Whatever the excuse, unless your app exists for the sole purpose of aiding authentication, shoving it into your authentication flow without the express permission of your users will set them up for a variety of problems, from frustration to account takeover.

I get it, you want people to install your app. You gotta get those numbers up. You need to spy on people and sell their info: Software’s expensive, and revenue is the lifeblood of business. Phones as they are used today are perhaps the most personal expression of computing that exists today, and because mobile apps have access to a lot of data, you want everyone to install your app. Forcing them to install it so they can log in to your website is a great way to do this.

There are a variety of reasons people might not want your app: maybe it’s just app overload, or maybe they feel like they don’t want a smartphone anymore. Maybe, wary of the always-connected lifestyle, they went back to a flip phone or got an e-ink phone with no third-party apps. Assuming people want to install your app, and assuming they have a phone on which they can do so is consumer-hostile. Personally, I keep my phone in another room while working, and requiring me to go get it is a disruption; I’ve come to prefer nearly any other method of multifactor authentication.

There are also a lot more things that can go wrong with this type of authentication flow. Does your app send a push notification for people to tap in this case? What happens if they’ve disabled push notifications? Or they accidentally cleared the push notification? Have you made the “approve this login” screen easy to access otherwise?

What happens when the person deleted your app? Do they still have another way to login, or did you just lock them out, because how dare they?

The first time I encountered this pattern with Twitter in 2016, there was no way to approve the login except from the push notification, and I did get locked out of my account after deleting the app in spite of having other multifactor methods available to me — they had not anticipated someone deleting their app in their design of the feature.

There is also the issue of your app’s expected use contexts. This pattern might be reasonable for a banking app, access to which is closely guarded. It is not reasonable for an entertainment app, and certainly not one attached to my tv.

Software is difficult enough already. Introducing another piece of it into an authentication flow shouldn’t be taken lightly, and it most certainly should not be required.