“电子邮件即身份验证”模式

作者承认主要生活在配备了广告拦截器、有限 JavaScript、密码管理器等工具的数字平台中，并且能够谨慎辨别合法来源和潜在诈骗。许多互联网用户并不遵循这种模式，作者提出了考虑他们的经历与其他人的经历之间的差异的问题。作者观察到的一种常见方法是忘记网站密码，通过电子邮件接收重置链接，创建临时密码而不保留密码，然后不断重复该过程。作者质疑这种做法背后的动机，表明个人可能不知道他们为什么会从事这种行为。作者讨论了数字安全的各个方面，包括密码管理器的重要性、身份盗窃的危险以及围绕用户名和密码的有效性和现代化的争论。作者质疑这种做法的起源，并想知道人们是否由于其轻松和重复的性质而无意识地采用了这种惯例。作者表示担心，虽然增强的安全措施往往会增加复杂性和工作量，但许多人难以适应。作者建议探索开发鼓励改进的系统的方法，而不是给用户体验带来额外的障碍。

The author admits living primarily within digital platforms equipped with tools such as ad blockers, limited JavaScript, password managers, and cautious discernment between legitimate sources and potential scams. Many internet users do not follow this pattern, and the writer poses the question of considering the discrepancy between their experiences and others. A common method observed by the author involves forgetting a password on a website, receiving a reset link via email, creating a temporary password without retaining it, and repeating the process continuously. The author queries the motivation behind this practice, suggesting that individuals may not be aware of why they engage in such behavior. The author discusses various aspects of digital security, including the importance of password managers, the dangers of identity theft, and the debate surrounding the effectiveness and modernization of usernames and passwords. The author questions the origin of such practices and wonders if individuals unconsciously adopt such routines due to their ease and repetitive nature. The author expresses concern that while enhanced security measures often increase complexity and effort, many people struggle to adapt. The author proposes exploring methods to develop systems that encourage improvement rather than presenting additional barriers to the user experience.

I’m the first to admit that I don’t live in the real (electronic) world. As the late Jim Kloss pointed out during one of his broadcasts, we (and probably you) live in a part of the Web with ad blockers (as the FBI recommends), limited JavaScript, password managers, and a (mostly) finely-tuned sense of what is a scam and what is legitimate (that was a lot of brackets).

Most people don’t live like this. I’d posit the vast majority don’t. And it’s worth a reality check sometimes.

Here’s a shockingly-common login process I witness:

Get to a login page
Click “I forgot my password”
Go to their email
Click the recovery link
Type a throwaway password they won’t retain
Rinse, and repeat

When I ask people why they do this, they either don’t have an answer, or respond with “huh, I never thought about why”. And that’s interesting to me.

Enough has been written (including here) about the need for password managers, the risks of identity theft, two-factor and multi-factor authentication, and whether the entire concept of a username/password is antiquated and in bad need of replacement. If you’re a reader of my silly blog here, you likely already know all this.

What I’m interested in here is the fact people have come up with that above process in the first place. How do you decide that using “I forgot my password” as authentication makes sense to you? Or more specifically, the most sense to you, out of all possible options?

I think people can’t answer why they do this because it’s not a concious decision. They don’t wake up in the morning and decide yes, this is how I’m going to interact with online accounts today! Instead, this is a process that has coalesced over time and become rote. It offers a guaranteed, repeatable, low-effort solution (of sorts) to passphrases they don’t need to think about (there’s those brackets again).

It makes me wonder if we’re looking at a bunch of these issues backwards, and whether we can take advantage of people’s tendencies towards learned behaviour like this. What if we could somehow design systems so that the people who use them evolve to use them in better ways? Because I do empathise with people that often improved security comes with more barriers and friction, not fewer.

“电子邮件即身份验证”模式 The \"email is authentication\" pattern