Sunday, August 18, 2019

The Log-in Superposition

Traditionally, a site has exactly two states. You are either logged in, or you are not. All people get the same site when they are not logged in, and they all get a different website when they aren't. Recently, I have noticed some websites taking another approach and introducing that's the middle ground: not entirely logged in, but also not entirely not logged in.

When I say I noticed this recently, I actually meant that I noticed it a while back. In fact, I noticed the same thing on two completely separate sites and one of them seems to have stopped using this paradigm. I just never got around to writing about it. I still think it's an interesting approach, so that's why I'm writing about it now.

As a brief interlude, let me quickly explain the title of this post. Superposition is a term from quantum mechanics and it's all about there being discrete states, but reality actually being a combination of chances it's in each particular state. They are still discrete states and you will never observe anything but any of the states, but you can prove that until you observed it, it's not in any one of the states, but in a superposition of all of these states. It's a very complex thing to wrap your mind around and it doesn't entirely fit here, but I still thought it was a fun thing to make a quick nod at.

So, what is this third state? It's basically where the site thinks it knows who you are, but does not trust this to be the absolute truth. In this state, everyone has their own version of the site, which may contain things like an unread message count, or the quick menu that shows the most recent items you interact with, but it does not allow you to read your messages, reply to them or see the full history of items you interacted with. When getting to a part of the website where you can do with these things, you'll be prompted for your password (often with your email not editable, but a "this is not me" link, because they do imply they know who you are).

Basically it's a hacking risk mitigation strategy. It's allowing you some convenience of remembering you, but recognizes there is some risk in doing that. However, hacking that part of the website is of limited value because it would not allow the hacker to see much information about the user, or take actions on their behalf.

At the end of the day, I'm not entirely sure whether I think this is a good strategy. I think the added convenience is often limited because you'll end up needing to provide your password after all most of the time. Nevertheless, I think it's very interesting. And in a way, it's pretty similar to requiring the current password to set a new one. If I see a good opportunity for doing so, I might implement this myself. Then again, I also might not.

No comments: