or
feature-request wont-fix
connectyourcharger
As an incognito user (for security reasons), every time I exit out of my incognito window, the session cookies kept by this site for logins will be cast into the void. It's probably not the best thing to use a recovery token every time I want to log in, either.

Can there be some way to log in rather than just the session cookies?
Top Answer
ffff0h
I'm not sure whether or not this qualifies as an answer, but in the name of this is Meta and it addresses the issue raised in the question, I would suggest **renaming** the "account recovery token" to something like "login key", and then correspondingly change the text on the "link" button to "log in" or something similar.

That would require minimal changes, but still present a more conventional-looking login experience and make it clearer what that GUID is actually used for in practice.

I do imagine that people would still complain that a GUID is harder to remember than `dolphins` or `password123`, though.


---
update by Jack:

we've implemented all the very sensible wording changes suggested in this post while the wider questions are discussed.
Answer #2
Jack Douglas
> It's probably not the best thing to use a recovery token every time I want to log in, either.

For your special use case, I think using the recovery token as a password is really the most sensible solution.

If someone like yourself has security reasons for using incognito sessions or clearing cookies, they probably also don't want to use ['dolphins'](https://github.com/danielmiessler/SecLists/pull/155) as a password. Long unmemorable strings of random chars are probably more what you are used to. You presumably already have a way of securing your ever growing list of unique-per-site passwords and you can just add this to the list :)

Practically it just means hitting 'link' every time you want to log in and pasting in your recovery token [from the Windows clipboard ring](/transcript?room=2&id=5660#c5660) or whatever ;)

It's also possible to [use a userscript](https://topanswers.xyz/meta?q=464#a502) to reinject your device cookie automatically — but I don't know if that would work for you in incognito?
Can we implement passwords?
Jack Douglas
@ffff0h I've made an update to your answer to indicate we've released the changes you suggested. Feel free to rollback or edit into your own words of course. Thanks again for the post!
Monica
(And maybe more than just the last couple months, of course.  But it came to a head.)
Monica
I want the SE communities that have been damaged by the company in the last couple months to be able to reconvene elsewhere.
Monica replying to Jack Douglas
If we have most of the same goals (as I think we do), I really want to find a way for us to work together instead of two teams going off and building things independently.
Monica
I'd also be interested in hearing your thoughts on how well our [MVP requirements](https://github.com/codidact/docs/wiki/Requirements:-MVP) and (emerging) [functional spec](https://github.com/codidact/docs/wiki/Functional-Specification) align with your goals.
Jack Douglas
thanks for the invitation
Jack Douglas replying to Monica
I will definitely do that
Monica replying to Jack Douglas
Please feel free to add your thoughts there!
Monica replying to Jack Douglas
True, but then I started talking about profiles and UX in general and accessibility and stuff.
Jack Douglas replying to Monica
I find the new responses there interesting, thanks for linking
Jack Douglas replying to Monica
well, most of the conversation has been about passwords
Monica
(Which means I'll never find this conversation if I'm looking for it later.)
Monica
And a downside of how chat works here -- I hadn't noticed for the last several messages that we're having this conversation in a question room and not the main room where I'd intended.  Oops.
Monica
I brought TopAnswers up on the Codidact forum, because I'd really like to see the two projects converge instead of ending up with two Q&A sites, but I'm not sure what traction I'll get.  https://forum.codidact.org/t/should-we-join-forces-with-topanswers/330/17
Monica replying to Jack Douglas
I noticed that the "comment" link sends you to chat.  When I saw the link I wondered what teh difference was between comments and chat. :-)
Monica replying to Jack Douglas
Oh interesting; the reply arrow has a tooltip but the others don't.  Anyway, I'm no accessibility expert, just an afflicted user, but WCAG guidelines are a place to start.  Contrast and color choice are important (those seem fine here so far), icons are very small and I don't know what they suggest there, and some of your link text is very small and hard to read.
Jack Douglas
still not liked by all though, but I guess nothing will ever be
Jack Douglas
that is working out even better than my best hope
Monica
And I really like the idea of chat linked to questions right from the start.
Monica
But we need to keep our community together and chat is essential for that.
Monica replying to Jack Douglas
I think for Writing, Q&A and profile (meaning links to your stuff, mainly) are priorities, and a login interface people can grok easily, and chat after that.
Jack Douglas replying to Monica
we could really use input from an accessibility expert at some point
Jack Douglas
no I'm afraid not
Monica replying to Jack Douglas
The chat seems well-developed, yes.  (Modulo those teeny tiny controls with no tooltips. :-) )
Monica replying to Jack Douglas
Yes, please.  I assume you didn't write functional specs or mockups or the like first that people can consult?
Monica replying to Jack Douglas
Someone was just asking me a few hours ago what your stack is and I couldn't find a repo, yeah.
Jack Douglas
the fringe stuff is way behind
Jack Douglas
q&a is catching up
Jack Douglas
fyi quite a lot of effort has gone into the chat experience
Jack Douglas
We should probably label each part of the site "this looks the way we intend it to look" "this is not much more than a functional holding design" just so the difference is clear to newcomers
Jack Douglas
but I don't think that will be long
Jack Douglas
getting the source on GitLab or wherever probably needs to come first
Jack Douglas
we'd like to get more people involved in development
Jack Douglas replying to Monica
heh
Monica
Um, would you accept contributions from a UI designer/front-end person if I can scare one up? :-)
Monica replying to Jack Douglas
Oh I see -- I saw the drop-down and didn't notice the containing box/label.  (I also just created activity on DB so I'd have a second section.)
Jack Douglas
![Screenshot 2019-12-01 at 23.28.45.png](/image?hash=fd34fb2d232bc7a6e5eefc2042460eadb6ab99bf7fe7203b13ef775cc0e95a6d)
Jack Douglas replying to Monica
do you get drop-downs with choice of fonts?
Jack Douglas
as soon as you ask/answer/vote/chat in another community there will be another section there in the profile
Jack Douglas replying to Monica
correct
Monica
I don't see a meta section.  I don't see any sections.
Monica replying to Jack Douglas
But things done in one community won't grant status in another, right?  If rep is per-site then presumably not.
Jack Douglas replying to Monica
it should be at the bottom but you will only see sections for the communities you have participated in, so you might only see a 'meta' section at the moment
Jack Douglas
there is a closer linkage between sites/communities here than on SE, but I want to make people feel like they can stay in one community and ignore the rest very easily if they want to
Monica replying to Jack Douglas
Oh, I didn't realize.  I don't see any community sub-sections; when I click on my profile link (i.e. my gravatar) I see only the page where I can change settings and get tokens/PINs.  Is there another profile page?
Jack Douglas replying to Monica
yes, per-site
Jack Douglas replying to Monica
it's global — there are community sub-sections at the bottom now to select fonts
Monica
Rep is per-site, right?  That can't be global or having several diverse sites here won't work.
Monica replying to Jack Douglas
Is the profile global?  I thought I had a profile on meta and I would have a different (linked) profile on Databases if I had any activity there.
Jack Douglas
(though I guess matching 'meta' might make sense…)
Jack Douglas replying to Monica
interesting question, what theme colour should the profile page be? That alone is a blocker right now!
Monica replying to Jack Douglas
Oh!  Yes, that would help.
Jack Douglas replying to Monica
I don't mean that — I mean visit TA on your phone and link with PIN from desktop, then go to work with phone and do the reverse there, that kind of thing
Monica replying to Jack Douglas
I don't need "lovely"; I'm hoping for "looks like part of the same site". :-)  (Though, also, I *really* want links to my own activity, not just a settings page.)
Monica replying to Jack Douglas
But then you're collecting a phone number to send SMS, right?  Is that better than an email address?
Jack Douglas
one day it will look lovely
Jack Douglas
the profile page is…  
'functional'
Jack Douglas replying to Monica
yes :)
Monica
BTW, small thing -- there's no site-based navigation from the profile page back to Q&A; you have to use the browser back button.  Presumably on the to-do list?
Jack Douglas replying to Monica
absolutely, 'yes' to all of that — it's all a plain win
Jack Douglas
I'm guessing the vast majority of casual users will have a smartphone. If we can make linking using that easy enough, the benefits of being passwordless may just outweigh the benefits of having them. I am not saying I know that for sure
Monica
It might suffice to put much better guidance around the whole account-creation/login/use-other-devices pattern -- better naming of things in the UI, clear direction when you first create the account to save that code somewhere, maybe even a way to generate some one-time codes that you wouldn't mind emailing to yourself.  Right now it seems kind of cryptic, is all.
Jack Douglas
:)
Monica
Yeah, handing over new data isn't wise. :-)
Monica
Yeah, there are a lot of bad passwords and sloppy users out there.  I get that.
Jack Douglas
(not that I'd suggest anyone actually does that with a current password mind)
Jack Douglas
many people would get a shock if they type their password into https://haveibeenpwned.com/Passwords
Jack Douglas
I'm guessing the problem with compromised accounts will be significantly better here too
Jack Douglas
and that in part is due to the lack of passwords
Jack Douglas
for example, the sign up process is *really* easy on TA
Jack Douglas
just that it's easy to apply the wrong solution without enough data
Jack Douglas
I'm not saying there is not a problem though…
Jack Douglas replying to Monica
true, though PINs in the form of one-time-passcodes are getting very common as 2FA which a lot of people are finding themselves pressed into
Monica replying to Jack Douglas
Well, a phone was my example, but it could just as easily be a tablet or a different computer, both of which I use regularly, too.  I'm just saying that "go get recovery code (or PIN), click 'link' on the other device, and paste in that code" is pretty unusual as a login experience.
Jack Douglas
thanks both!
Jack Douglas
@ffff0h that makes a lot of sense I think
Jack Douglas replying to Monica
possibly, but I think we need to consider it after the mobile interface is improved to the point where it is *easy* for everyone with a linked phone to access their PIN
Monica
@ffff0h I was completely thrown off by the "link" term in the UI and had to ask how to log in on another device.
Monica replying to Paul White
Just from what we've seen already here on meta and what I've heard from just the couple users from Writing I've been talking with, people are *really* going to be looking for passwords they can remember, not arbitrary codes that are handed out.  At least as an option?  I mean, if recovery codes and PINs are better and security-focused people know that, they'll use them.  But can we please have a way for the next tier down of users to have a conventional login experience?
Monica replying to Paul White
Recovery code works for that.  I thought I was supposed to use the PIN, which doesn't.  So recovery code it is, then.
connectyourcharger
@Jack Nice. Obviously I wasn't aware of the link feature beforehand, but it is relatively convenient. I still think that custom passwords should be a thing, but I guess I'll live with it for now in the name of security.
Paul White
I don't know how hard adding a password would be.  
I think the objection is more around security than difficulty.
Paul White replying to Monica
Take the recovery code with you on your phone?
Monica
I'm going to run into a problem with that on Monday, when I'm going to want to access the site from my work computer but won't have it in proximity to my home computer.  (I don't know if I can use my phone as an intermediary; the site renders badly on my phone.)  How hard is it to have a password?
Paul White
There might well be changes to the way profiles work as time goes on. We're very much still in alpha here.
Paul White replying to Monica
You can use the "link another device/browser to this account" section in your profile to link an account across devices as a one-off operation. Recovery is only needed if you clear cookies. I have been using one account for Windows and mobile access for weeks now.
Monica
@Jack I've actually just heard from one of the Writing users, who I think is less security-oriented than the asker of this question, who wants a password to facilitate logging in on different devices.  "Email the recovery token to yourself and cut/paste it on other devices" is not going over well.
Jack Douglas
@connectyourcharger pinging you to let you know I posted an answer here (post notification have not landed yet)