Why do we use passwords to log into ecommerce websites?

Why do we use passwords?

For security? For convenience? Well, it is mostly as a means of authenticating an individual to the website so that their unique details can be known and related to.

In context of ecommerce, the password is the "key" that unlocks our customer account, containing past order history, specific discounts, or even access to the entire site. By why passwords? For many sites, the password is only part of the picture, we also have to use our email address.

The logic at some point in ecommerce sites' history was: everything remembers their email address and password, right? Clearly not, Google, Firefox and Microsoft surely would not have invested development resource in building password managers and autocomplete if it was easy.

The fact is, passwords are a messy way of authenticating, especially given the fact each person, on average, has more than one email address, and is increasingly likely to be forced to change passwords to a new one by one or more of the websites that they use at some point.

This is fine for websites that we might visit every day. However, for non-frequent return visitors to ecommerce sites, this actually causes a barrier to entry - quite literally. Customers might only purchase from your site once or twice a year and so when they return they can't remember the email address and/or password they used. Likewise, even if they can remember them, maybe the site replatformed in the meantime, and now those original details no longer worked.

The point at which this barrier is faced is quite often the checkout - the very place you DON'T want it to happen.

Can we eliminate the need for passwords entirely?

Surely that would be ideal. Well, in my opinion, we can't. Until there is a zero-friction alternate to a password that becomes ubiqitous, we are probably stuck with them.

Therefore, given the real problem of friction in an ecommerce checkout, we set about looking at ways to solve this through innovation.

Innovating a solution

What we came up with was a module for Magento 2 called "No Password Login".

The idea was that we would remove the password field in the checkout login and account login pages. Instead, we would just ask for the email address. Progressing past that point triggers an email to that address containing a link.

On the basis that the person entering that email address actually is that person, then you'll get an immediately email and this logs you immediately into the site. However, if the person entering that address is not that person, then they won't have access to that email account to proceed any further. In so doing, we are still providing the same level of account security, BUT we are making it easier for the customer - since they don't have to remember the password.

For returning customers, this gets them straight into the site without friction.

We also considered other use cases, like customers who THOUGHT they had an account on the site, but actually didn't. This actually happens all the time! Currently, they are told that they can't log in - of course. However, the typical next step would be the standard "forgot your password" functionality, however, in this use case it won't work because the account doesn't exist. Worse still, the website gives them false hope like "if there is an account with that email address, we'll send you a link". However, in this case nothing happens for the customer.

This is all bad user experience! So again we flipped the account registration process on its head. For a login where the email address doesn't exist, we actually create an account automatically for that person and send them a link to login. So when they click on the link, they 

In all of this, their email account becomes the point at which security is being exercised on the customer side. Something that they must be comfortable with, or else they wouldn't be using it.

For the merchant, it also means that no customer passwords are stored in Magento. So in a data breach situation, there is one less thing to worry about.