4.2.2 Authenticate

A flow diagram showing the an authentication journey

Steps	Log in with credentials Login page > A: Service continues / B: Not authorised page Log in through provider Login page > Provider journey > A: Service continues / B: Not authorised page Reset credentials Log in page > Reset password > Send reset link > Reset password > Success
Patterns	Log in Not authorised Outcome Sending Notifications

When not to use this pattern

A principle of good user design is reducing friction and making processes as seamless as possible for the user. One way to do this is by avoiding the need for user accounts where possible.

Creating and managing user accounts requires a significant amount of effort from both the user and the service provider. For the user, it's another set of credentials to remember. For the service provider, it's a matter of securely storing and managing that user data.

There are many situations where a service can be designed in such a way that a full account isn't necessary. Consider these alternatives:

One-Time GUID Links: If you need to provide users with a way to return to a specific state in a service (like a partially completed form), consider using one-time GUID (Globally Unique Identifier) links. These can be generated and provided to the user, allowing them to return to their session without needing an account.

Token-based Authentication: For some services, you can use token-based authentication. This could involve sending the user a unique token via email or SMS that they can use to access the service.

Third-Party Authentication: For services that require authentication, consider using third-party authentication services (like Google, Facebook, or Twitter login). This can make things easier for users, as they can use an existing account instead of creating a new one. However, be mindful of the potential privacy implications.

Guest Checkout: For e-commerce situations, consider offering a guest checkout option. This allows users to make a purchase without creating an account.

In all cases, the goal should be to make the user's interaction with the service as easy and smooth as possible, while still maintaining appropriate levels of security and privacy.