Every time I see a popup login, I groan. Being a software developer in the internet security business, I am keen to notice all the 3rd party js scripts (usually for tracking, remarketing or visitor analytics) included on the same home page that also contains a popup login. While these appear safe or harmless, they actually add more attack surface, and they destroy any compliance over their integrity due to the fact that the 3rd party can change them on a whim all the while you’ve automatically served it to your users before you have reviewed or tested. In short, bad idea.
When 3rd party scripts are added, those scripts can take control and do whatever they want with that popup login page. Like a peeping Tom* they can watch you type, steal your username and password, and then sell or share your credentials to bad actors. You, the innocent and trusting user would almost never even know it is happening.
If a site uses a popup login, my Spidey senses are up. I worry about their cybersecurity and wonder how they have prioritized it for me as a user. And for those websites that don’t prioritize login security, sadly, they have a higher chance of becoming one of the countless businesses that open themselves up to getting attacked. It’s a common and disheartening story that we read about weekly and it’s becoming way too commonplace given the technology advances that are well underway. And while secure logins aren’t the end-all-be-all when it comes to cybersecurity, they are a giant step in the right direction.
As a user, we tend to assume the websites and apps we use are secure and safe. Since the advent of passkey technology and the most recent adopters of it (Apple, PayPal, Google) we now can do more than assume or wonder about the level of security on applications and websites; if they offer the passkey option you know where their priorities lie -with keeping business secure and with you!
So what do you do when the apps you use don’t have a passkey login option or what if they have the dreaded popup login? Pick up the phone or start typing an email. Let your voice be heard and tell the developers or powers that be that you want a passkey login to use their site. They want to keep you as a customer and they value your business. If enough customers speak up and request this change, they will do it.
If you own or manage a website or application that has scores of users inquiring about passkey logins or you just want to upgrade and stand out, your choice is relatively simple: build it in-house over a period of 9-12 months or use an authentication service like Vault Vision who have already built a secure passkey authentication platform that will quickly and securely log your users into your site without the fear of vulnerabilities. Upgrading your login page will make you the hero and your users can rest easy.
Life will be one thousand times better and safer for everyone when popup logins and passwords are no longer used. Thanks to The FIDO Alliance, Apple, Google, and others who are following their lead, passwords and popups are officially on their farewell world tour. Get on the passkey train and prioritize the highest login security experience for yourself and for your customers. Be a passkey hero!
*Apologies for besmirching the name Tom. No offense to all the good Toms, Tommys, Thomas’ and T-dogs out there.