Why is logging into anything such a pain in the ass?

Logging into apps or websites is one of our most-repeated digital activities, a sacred handshake between internet and user that says "I'm me, please let me in." To my disappointment, at some point in the last few years we reached a point where logging in wasn't a matter of extending your hand and completing a simple gesture, but instead a contorted, unpredictable dance of arbitrary tasks, email checking, and infantilizing captchas that can vary widely from app to app.

The cumulative cognitive and time burden of logging in is no longer insignificant. A 2020 World Economic Forum whitepaper claimed that "employees worldwide spend an average of 11 hours each year entering or resetting their password." Even in an era when password managers can do the heavy lifting of remembering, they themselves are another layer that needs to be manipulated, tended to, and that can break.

Here's an Input Gulag I recently served time in while naively attempting to log into a website on my mobile device:

1. Pull up the website on my phone's browser
2. It doesn't remember me, despite clicking "Remember me" each time
3. Click to log in
4. Prompted to log into my password manager for the day
5. Face ID on phone
6. Click the drop-down to auto-fill password, but auto-fill doesn't work
7. Separately pull up the password manager extension app
8. Face ID on phone
9. Search for the stored credentials for this website, find the correct login
10. Copy username, return to browser, paste, return to password app
11. Copy password, return to browser, paste
12. Click log in
13. Wait for 2FA text message to arrive
14. Enter 2FA
15. Logged in

Earlier this year, my credit union began asking me every 30 days to use a webcam to scan my face—but only when logging in on desktop, not on mobile. (On top of that—and I can't see how this is possibly necessary after I've provided a 3D scan of my face—it asks me to answer a security question.) My financial management website runs a captcha on the login page that automatically runs and fails about 75 percent of the time, prohibiting me from logging in. I solve this by reloading the page an unpredictable number of times.

Even smaller websites can employ exotic login methods. The platform that the talented folks at 404 Media use, bless them, requires no password at all, but asks me to retrieve a new email from my inbox and click on a confirmation link order to log in, after which it's stored for a time as a cookie.

Why can't the tech industry streamline something as ubiquitous as logging in?

Your personal digital moat

Logins are designed to mitigate the range of attacks and social engineering that bad actors employ in 2025. And more recently, some of my sources mentioned that AI agents are now being used to scale fraudulent online activities.

"'Burdensome logins' are largely due to the result of a concept called 'Zero Trust' becoming mainstream," says Mino Kim, founder at CareerSimulator. "Malicious until proven otherwise. If I assume you're malicious, I need you to prove you're legitimate. That proof often takes the form of authentication steps like biometrics, verification codes, CAPTCHAs, email confirmations, and other identity checks. To put it simply, this friction is there to try and make the internet safer."

"It's a reflection of the growing attacks focused on authentication," said Roger Grimes, a data-driven defense evangelist at cybersecurity firm KnowBe4. "To fight that problem, every website is being forced to implement more login authentication checks. It may be burdensome for the user, but if the user's account gets stolen (millions of innocent user accounts are stolen every day and the impacted user rarely gets it back), they will have service interruption to the site or game they are trying to play.

"Be assured that websites and gaming services aren't annoying their customers without a good reason. Not a single 'annoyance' was enacted without the vendor suffering some bad outcome because they didn't have the 'annoyance' in place beforehand. The pain happens, then the fix."

Far from an exception to the wider internet, gaming has become a particularly attractive target of account thieves, says Oleg Naumenko, CEO and co-founder at Hideez, a company that creates physical authenticator keys. "The main reason logins are such a headache now is that gaming accounts are worth real money. Hackers are after gamers' libraries and any valuable in-game items they can flip on the side, so all those extra security hoops are a direct response to that threat."

I was unsettled to learn that my Steam account is more valuable than my bank account. Bolstered by 17 years of redeeming keys provided to press, the value of all my games is $48,625. Do you think that Valve CEO Gabe Newell has changed his password since he famously gave it out live on stage in 2011, in a stunt demonstration of Steam's new Steam Guard authentication? (It's "MoolyFTW" if you want to give it a shot.)

The extravagant lie of "Remember me"

Of particular annoyance are web or app logins that pledge to remember your details, but do so irregularly. The Epic Games Store, the gateway to Fortnite and Rocket League, is especially guilty of this, and being an external launcher, a password manager doesn't integrate with it.

"Most users think it's permanent. It's not. That check box traditionally depends on a browser cookie, and that browser cookie goes away when you clear things from your cache, when your session times out, or when the site updates the security settings," says Anar Israfilov, CEO at Cyberoon Enterprise.

There are also legal restrictions around how long these details can be stored, particularly under GDPR or in certain US states, like California's CCPA.

Your own settings can unknowingly get in the way of the "Remember me" promise being fulfilled. "[It] can be several things," adds Kim. "Authentication cookies not being saved properly by certain browsers (privacy settings), short expiration windows (your login is being remembered, but only for X amount of days), or there is simply a bug in the code."

Even if implanted biometric devices were to become mainstream tomorrow, I don't think we'll ever live in a world where logging in is as easy as walking through an open door. Passkeys are the latest invention of the cybersecurity sector, password replacements that are more secure and theoretically a bit easier to use, when offered. But they still require the step of authentication to another device, and as a post on /r/cybersecurity commented earlier this year, "A stolen passkey from a compromised password manager would be hacker gold since they bypass the need for both passwords and MFA/2FA or SMS or email assisted authentication."