1. How do we ensure that authentication/security don't stand in the way of usability?
2. Do we prioritize usability against security in our UI, or the other way around?
3. What are the more sensitive areas which require a more strict authentication?
4. In which situations will we prompt users to authenticate themselves?
5. What password requirements do we want to implement?
6. What authentication method do we want to prioritize for signing in? Login/pass, Login/passphrase, 2-factor-authentication, social media sign-in, magical sign-in, biometric input (mobile), other?
7. Can we avoid asking users to verify email immediately, and ask at review page or success page instead?
8. Can we avoid asking users to verify their password and use the show/hide pattern instead?
9. Can we provide a live password requirement checklist (to indicate what characters are needed to meet requirements)?
10. Can we ask for a passphrase instead of a password?
11. How do we explain passphrases and 2-factor-authentication in our UI?
12. Can we replace security questions with a 2-factor-authentication?
13. For 2-factor-auth, can we complement the SMS option with QR, app, email?
14. Can we reward customers for using 2-factor-auth (discount, free month, etc.)?
15. Do we provide a social media sign in? If yes, what services do we support? What permissions do they get?
16. Do we have a spam prevention strategy in place?
17. Do we really need CAPTCHA, or can we use honeypot technique plus time traps instead?
18. Can we set a long cookie expiry date to avoid frequent sign-ins?
19. Can we set a long cookie expiry date for quick checkouts (like 1-click-checkout)?
20. When is the right time and place to ask for permissions (location/camera, etc.)?
21. Can we authenticate users by asking for a phone number and send a code as a text message?
22. How do we design and build a password recovery experience?
23. Do we set any requirements on the frequency of password recovery at a given time?
24. Do we enable customers to merge multiple accounts (social sign-in, email, like Medium does)?
25. If not, can we place a cookie and suggest to customers what they signed in with last time?
26. How do we prevent customers from using insecure passwords?