authors are vetted experts in their fields and write on topics in which they have demonstrated experience. All of our content is peer reviewed and validated by Toptal experts in the same field.
Mayank Sharma
Verified Expert in Design
8 Years of Experience

Mayank is a product designer specializing in fintech and building Web3 apps and platforms. He applies his extensive knowledge of UI/UX design to blockchain, cryptocurrency, and financial exchanges.

Previous Role

Product Design Lead
PREVIOUSLY AT
AUTO1
Share

The registration and login process on a company’s website or app is a pivotal early impression in the customer journey. User authentication—the process of confirming someone is who they say they are—is an initial step that enables users to browse products or services, save information to their profiles, “favorite” items for later, and, ultimately, become a customer and make purchases.

Done well, an authentication system experience establishes trust in a brand or service, reassuring users that their personal information is safe. On the other hand, a clunky, overly complicated, or dated authentication process creates a poor user experience that can turn users off immediately. Unfortunately, far too many companies fall short when it comes to providing the smooth authentication experience that customers desire.

A study by Auth0 and YouGov found that users around the world want greater choice in login technologies. But less than a third of companies surveyed offered multifactor authentication, only one-fourth offered biometric authentication, and one-fifth offered passwordless authentication. In my decade of UX and UI design experience for web and mobile platforms, I have seen the challenges that both designers and users face when it comes to user authentication. In this article, I address those challenges and offer six strategies for making authentication systems more user-friendly while ensuring the safety and security of customers’ information.

An Auth0 survey found that organizations don’t offer login methods such as multifactor or biometric authentication at the rate customers want them.

The Challenges of Authentication System Design

First, it’s important to sketch out the challenges that designers face when trying to authenticate users. Each case is different, of course, but there are a few common threads:

Range of Users

There is no one-size-fits-all when it comes to customers. Some will be tech savvy, some won’t. For example, while I seamlessly use a password manager and switch between using my fingerprint on some websites or apps and my Google credentials on others, my mother has trouble with password managers and biometric authentication, and doesn’t have a Google account. Keep in mind that some users will also have additional accessibility needs due to vision or hearing loss or other impairments.

Range of Devices

Customers will be trying to access your website, app, or online service using a variety of different devices. If they log in on their iPhone, will that authentication experience be different from the one they use on their PC? After all, someone could use biometric data—such as a fingerprint—to log in on Safari, but that technology isn’t available on Chrome or Firefox. You’ll need to account for the many different access points and devices used.

Legacy Content

You’re never starting with a blank slate. Prior authentication technologies and existing customer login information will pose challenges as you develop new solutions. For instance, implementing and enforcing new password policies is difficult if an older application lacks modern password rules (e.g., requiring strong passwords and periodic password changes) because you will need to roll out the new policies without disrupting users.

Additionally, proper documentation for a legacy application may not exist, and the team that built the application might have moved on to other projects. These scenarios require designers to spend extra time understanding the flow and documenting the edge cases alongside the developers and the product manager before they can begin working on improvements.

Balancing UX and Security

It goes without saying that any authentication procedure will need to keep user data safe, secure, and private. In fact, the vice president of global partner solutions at Microsoft dubbed security “table stakes” at this point. Designers therefore need to balance the need for a simple, seamless UX with the need for data privacy and security.

Authentication Barriers Faced by Users

Designers looking to improve the user authentication experience also must take into account common login challenges facing consumers.

For users who aren’t tech savvy, it can be difficult to differentiate between legitimate, authentic brand communications or websites and phishing scams. More than 300,000 people in the United States fell prey to phishing attacks in 2022, resulting in the loss of more than $52 million.

A primary complaint from users is that there are simply too many passwords to remember, so they don’t want to have to create new ones for each company they interact with. (And yes, that includes your company too.) And a major drawback of the newer authentication technologies is that if users ever change devices or operating systems, they’ll likely need to reset all their authentication choices and information.

Another challenge for many users is the varying forms of authentication systems used across the brand universe. For example, I once worked on a project for a company that digitizes real estate investments. The company was issuing token-based cryptocurrency bonds as part of a regulated securities prospectus. This new feature came with an updated authentication procedure for making purchases which would be unfamiliar to consumers who had no experience with blockchain technology. My team ultimately solved the issue by making the process more commonplace: Instead of requiring customers to remember public and private keys, we created a digital certificate of purchase that would be issued when customers bought real estate tokens. The certificate was designed to look familiar to customers and they were instructed to keep it safe. This solution offered a secure and accessible option for users.

Authentication Best Practices for a Better Experience

With the above issues in mind, here are a few ways UX designers can improve the authentication experience.

1. Look Backward and Forward

Legacy challenges mean you may need to fix glitches in past authentication technology before you launch anything new. A common challenge I’ve faced is updating applications that lack modern password policies such as requiring strong passwords and periodic password changes. When I’ve faced this issue in my work, I have had to repeatedly communicate to key stakeholders the reasons we needed to modernize the security features, and assure them that we wouldn’t disrupt users with the changes. Rather than prompting users to change their password on login, we displayed a banner within the application notifying them of the updates and the reason behind the changes, and informing them that it was time to update their password.

While fixing legacy challenges and modernizing the system takes time, doing so is a great opportunity to ensure that you’re looking ahead and anticipating issues with the system you’re currently designing. Don’t kick problems down the road or leave questions unanswered. They will likely come up again the next time you update—and add to the new challenges you’ll no doubt be facing.

2. Plan for Consistency Across Platforms

Consider every possible device and system that a user might use to access your website or service, as well as every potential account—such as Google, Facebook, or Apple—that you can partner with to let users access your website or service. You’ll want to build as consistent an experience as possible on login pages across all of these devices and systems. That means keeping everything from the color palette, icon designs, and voice and tone of the content the same to ensure the navigation is dependable. Creating a consistent experience is one of the primary ways to promote user trust in your brand—and that consistency should extend to your login pages.

3. Allow Various Authentication Methods

You should be open to letting users access your site or app using a variety of different authentication methods. You don’t want to decide to authenticate using only FaceID and then realize that it won’t work on a MacBook—or on a Windows or Android device, for that matter.

4. Simplify Password Creation and Entry

Address password overload—and garner some goodwill—by letting users create passwords they can actually remember. How? Lay off the rules and requirements and make password entry a bit easier by including a show/hide option. As Jakob Nielsen explains: “Usability suffers when users type in passwords and the only feedback they get is a row of bullets.” He adds that masking passwords rarely bolsters security—but because it causes login failures, it can result in lost business.

Authentication best practices include giving users the option of displaying the password as they type instead of obscuring it with bullets.
Masking passwords can cause errors. Offering a show/hide button at login can create a better authentication experience.

When necessary, guide users toward secure options in a polite and friendly way. I recently tried to create a new password for a login; rather than impose a lot of restrictions upfront or alert me that my password creation failed after the fact, a notice popped up telling me that the password I entered “seems a bit generic.” You know what? It was generic. I thought that was a nice, polite way of telling me that to keep my info safe, I might want to come up with a slightly more nuanced password.

5. Suggest Regular Checkups

One study found that even after a data breach, only a third of users whose data was leaked changed their passwords. Because compromised, weak, or reused credentials can put users’ data at risk, it’s a good idea to build in a regular six-month check-in with your users to suggest a password refresh. This helps people remember which websites they have logins for, and, by suggesting that they change passwords regularly, helps keeps users’ credentials fresh in their minds and more secure from hackers.

Of course, some users may still ignore these prompts. To that end, companies can also nudge users to passwordless solutions like social media login, biometric authentication, or a “magic link,” in which users receive a time-limited link via email or SMS that provides them one-time access to their accounts without having to enter any password. It’s user-friendly, secure, and reduces password-related issues, but it does have an expiration time.

Companies can also suggest to consumers that they use password managers such as 1password or Bitwarden, which can handle the generation and storage of multiple passwords.

6. Be Predictable

When it comes to security, don’t reinvent the wheel. Keep your security clearance predictable and consistent. Look to the big players in your industry to see how they handle authentication, as many of your users will start their journeys there. For example, in my work for Web3 apps, I often look at the authentication experiences of major companies in the space, such as Coinbase.

You may even slow down or add friction to some processes to instill confidence that the procedure is secure. When possible and convenient, rely on existing user accounts—such as Google, Amazon, Apple or Facebook—to streamline the process and provide an easy (and familiar) user experience.

Authentication Standards Build Trust

Authentication system design is no easy feat. To create a secure login process, designers must contend with outdated systems and a need to prioritize consistency across a range of users and devices. Ultimately, these six strategies can enable designers to address the common challenges that organizations and users face with the authentication process, thus fostering a streamlined and secure experience that users can trust.

Understanding the basics

  • How do you build an authentication system?

    Building an authentication system involves several steps. First, establish a user database to store credentials and a process to register new users. Then, validate credentials with a system that uses secure sessions and password tokens. Finally, verify that password policies and instructions are clear and simple.

  • What is the strongest authentication measure?

    Biometric verification is the strongest authentication measure. Factors such as fingerprints, facial recognition, eye scans, voice recognition, etc., are unique to the individual, meaning they are more difficult to replicate.

  • What is the most common authentication method in use?

    Most authentication system designs use passwords for simplicity. However, customers can forget their passwords and are often dissatisfied with the method. To alleviate this issue, allow for different authentication methods, simplify password requirements, and regularly suggest that users change their passwords.

Hire a Toptal expert on this topic.
Hire Now
Mayank Sharma

Mayank Sharma

Verified Expert in Design
8 Years of Experience

Berlin, Germany

January 6, 2017

About the author

Mayank is a product designer specializing in fintech and building Web3 apps and platforms. He applies his extensive knowledge of UI/UX design to blockchain, cryptocurrency, and financial exchanges.

authors are vetted experts in their fields and write on topics in which they have demonstrated experience. All of our content is peer reviewed and validated by Toptal experts in the same field.

Previous Role

Product Design Lead
PREVIOUSLY AT
AUTO1

World-class articles, delivered weekly.

Subscription implies consent to our privacy policy

World-class articles, delivered weekly.

Subscription implies consent to our privacy policy

Toptal Designers

Join the Toptal® community.