This is what happens to overworked PMs.

Me: When users create accounts with social logins, they don’t have passwords in our database. If they try to enter an email and pw on the login form, what do you want the error message to say?

PM: Can we add a modal that says “Your account doesn’t have a password, set one now.” And have a password field?

Me: ☠️ That…would…allow…anyone…to…hijack…an…account…

PM: Right. Never mind.

  • 11
    This is exactly why separating the login flow into identification and authentication is so common nowadays. Such flows are way more ergonomic when authentication methods vary.
  • 3
    You could send a confirmation email to actually set the password
  • 5
    Exactly the same thing it says if a password user enters an email and an incorrect password. Minimise the information you might inadvertently give to an attacker if you told them the specifics.
  • 2
    Are you sure that the PM is overworked? Maybe he is just dumb?
  • 1
    @Lensflare he was definitely overworked
  • 1
    I do not know, if I totaly miss how social logins work:
    from my experience you talk about single-sign-on in the end:
    - the authority is the social network
    - no login will happen on your side
    - your website will forward your user with a challenge/nonce to the social network login/site
    - this side will do validation with the user and then forwards back to your side *(with a authentication token that encrypts the challenge/nonce and informs your website authority about the fact 'user authenticated on our side and is who he says he is'
    - then you give the user your token

    In the end everbody was happy and no password *field* was needed

    Am I mistaken in some way?
  • 0
    @TheNewGuy We have both social login and email/password. Most of our users are on the older side. So there was a high chance of someone signing up using social login, forgetting that’s how they log in, trying all sorts of email/password combinations, and calling customer support because they can’t log in to their account.
  • 2

    Oh man, those layer 8 problems ^^

    I feel you

    -> maybe a careful change in the UI could help to distinguish

    (e.g. a popup/other ui-addition that hints: you made three invalid logins, maybe try the NEW social login)

    .. but users can not be helped sometimes :/
  • 0
    @TheNewGuy This company cannot be helped. The create an account and login forms are on the same web page and are side by side. I’m all…why???
  • 1
    @ctnqhk o_O

    I, I am astonished.
  • 1
    @ctnqhk I am no designer and I do not know much about design

    I really wonder in which field such a UI is common

    (Implicitly I expect, that nobody would a priori believe such a design should be adapted; comming from separated pages for sign up and login)
  • 1
    @TheNewGuy It's actually fairly common because many clients believe that having more stuff on the same page is simpler. I generally tend to agree, my choice of a username is determined by whether I'll have to authenticate with it or I can use the email, so seeing the login form while I register is useful. It's perfectly pointless to build an app out of a hundred views with a single centered textbox. Google did it because they wanted to create an impression of simplicity, but if your app isn't actually as simple then it's just unnecessary navigation.
Add Comment