Flows

Authentication

The complete authentication flow — login, signup, password reset, 2FA, and session management — designed to be secure without being a barrier.

#authentication#auth#login#signup#SSO#password#2FA#MFA#session

What is it?

Authentication is the end-to-end system by which users prove their identity to access a product. It encompasses account creation, login, password management, multi-factor authentication, social login (SSO), and session handling. Authentication is a trust-critical flow — it must be secure without being a barrier to legitimate users.

Why it matters

Authentication is the first experience every user has with your product. Friction here directly reduces activation rates. Poor authentication also creates security vulnerabilities that can destroy user trust through data breaches. The balance between security and usability is the central design challenge.

Best Practices

Offer SSO (Google, GitHub, Apple Sign In) — reduces password fatigue and security risk.
Magic links (passwordless) are both more secure than passwords and lower friction for most users.
2FA should be offered and encouraged, but not mandatory for low-risk applications.
Password requirements should be shown during creation, not only on failure.
Session length: balance security and usability — "Remember me for 30 days" is appropriate for most consumer products.
Forgot password flow: ask only for email, send a time-limited reset link, confirm when sent.
Don't confirm email existence on forgot password: "If an account exists, a reset email was sent."
Failed login attempts: lock after 5–10 attempts, not after 3 (too aggressive).
Session management: allow users to see and terminate active sessions.
OAuth flows must redirect back to the original destination after login.

Common Mistakes

No SSO options — forcing password-only authentication.
Password requirements that are only revealed on failure.
Forgot password that reveals account existence: "No account found with that email."
Locking accounts after 3 failed attempts — too aggressive, blocks legitimate users.
No 2FA option for users who want it.
Session expiry without warning — users lose unsaved work when suddenly logged out.
OAuth flows that don't redirect back to the page the user was on.
Requiring email verification before allowing any product access — delays the aha moment.

Checklist

SSO options (Google, GitHub, Apple) are available

Passwordless / magic link option available

Password requirements shown during creation

Forgot password does not reveal account existence

2FA available (TOTP or SMS)

Session length is configurable or has sensible defaults (30 days)

Account lockout after reasonable failed attempts (5–10)

Active sessions are visible and terminable

OAuth flow redirects to original destination after auth

Reset links are time-limited (< 24 hours)

Research & Theory

NIST Digital Identity Guidelines (SP 800-63)

NIST guidelines recommend against forced regular password changes, complexity requirements that lead to predictable patterns, and SMS as the sole 2FA method.

Why it's relevant

Modern authentication best practices are counterintuitive to traditional security thinking. Longer, memorable passphrases > complex rotated passwords.

Real-World Examples

Linear

Google SSO primary. Email magic link secondary. No password. Session stays active for extended periods. Clean, modern authentication that respects users' time.

GitHub

SSO, email/password, passkeys, and 2FA with TOTP or security key. Active sessions list in settings. The most comprehensive authentication UX in developer tools.

Notion

Google SSO leads. Email magic link. Simple, low-friction, secure. No passwords required for the majority of users.