User authentication options for Shopify stores - Our experience and some advice
Paul Grieselhuber
As a Shopify store owner, you will more than likely want to allow your users to authenticate & identify themselves. Authentication serves many purposes for you as the business owner, and is the core of your ability to connect directly with your customers on a one-to-one basis.
If you are a new store owner, you may be surprised to know that authentication is a fairly deep topic with many possible approaches and styles.
If you’ve never considered authentication in any depth you may be thinking “Oh you mean the thing where I enter a username and password? I’m set.”
And you might be right. But you may not be.
Our goal with this post is to help store owners understand what the authentication options are, the effect this choice has on their capabilities and, ultimately, its impact on their success.
What we will cover in this article
As a very quick overview here is a list of the things we will and will not cover in this article regarding authentication:
User experience relating to authentication - Covered âś…
Value proposition to the business owner - Covered âś…
Security - Not covered, at least not in any real depth ❌
Why not go deep on security? While security is an important topic which we take very seriously, it is an enormous topic which deserves to be considered separately.
That out of the way, let’s get straight to the point - what is the best authentication option for your e-commerce store?
The answer, of course, is that it depends.
Considerations for Shopify store owners when choosing an authentication strategy
How your store is built will have a big impact on what your options are when it comes to auth. The two main options here are: Shopify theme or Headless store.
Authentication for stores using Shopify themes
If you use a Shopify theme, whether an off-the-shelf theme from a Shopify theme store, or alternatively a theme that a developer customized for you, then authentication is very straightforward.
In this case, you, as the store owner, don’t need to put much thought into the implementation. Generally, a Shopify theme will handle authentication via a simple username and password – tried and true…kinda.
Credentials-based authentication (i.e. username and password) is becoming outmoded more and more every day due to its not-as-good-as-it-used-to-be ability to keep accounts secure. Which means that as time goes on, users are getting accustomed to more secure authentication methods, and will eventually see credential-based auth as weird / unsafe. Once this perception hits a tipping point, it will more or less be time for everyone to ditch credentials in their e-commerce stores.
That said, in mid-2024 it’s probably still fine for very small stores who are just kicking the tires on this whole e-commerce thing.
There is, however, a major caveat here, which we will get to later.
Authentication for Headless Shopify stores
It is very likely that as your store grows it will outgrow Shopify themes - i.e. themes built on Shopify’s Liquid templating language and served directly by Shopify as “the frontend” of your store (with the Shopify admin itself being “the backend”).
And when it does, you will be heading down the path of what is known as a “Headless” store. With a Headless store, the Shopify admin will still serve as “the backend” and as “the engine” of your store (i.e. processing payments, storing products, customers, orders, etc.), while “the frontend” (i.e. product pages, buttons for users to add to cart, the cart itself) will be built on some other technology that enables more sophisticated, modern and powerful shopping experiences.
Headless stores are another enormous topic, but as they relate to authentication, the impact here is that the simple username-and-password login form you’ve been using is no longer available. At least that exact same form - you can still use credentials-based authentication, but your developer will have to implement it for you.
Before you decide to simply reimplement what you had previously, take the opportunity to think through the options now before you. Let’s discuss the 30,000-foot view of authentication for Headless Shopify stores.
Here again the options fall into two categories:
Implement a reference authentication package to take care of the hardest parts for you, or
Use Shopify's newish Customer Account API
We use the term "reference authentication package" here somewhat loosely, but this refers to packages such as Next-Auth (now Auth.js) and its ilk. Looking forward to the comments on this one.
It depends on the definition of “right”, right?
There can be many reasons one or the other may be right for your project, and even many definitions for "right", oddly enough.
Possible definitions for "right" that we've run into:
The lead stakeholder does not care about the security implications of his UX / UI preference, and just “wants it to be like that” – in this case, telling people on a login form whether a username exists or not, a HUGE no-no, obviously
Use One Time Passwords, obviously
Don't use One Time Passwords, obviously
You probably have noticed that to each stakeholder their perspective on how authentication should work is – you got it: obvious.
Why might one solution or another be right for your project?
People have strong opinions about how they want auth to work on their site or application due to a number of reasons.
For some people modern security policy is their top priority. Sometimes sensitivity to user sophistication is paramount. Other times low friction wins. For others it's "login forms because login forms".
You probably have your own personal preference and basis for that preference. Documenting this can be a good place to start.
We’ll spend the next section giving you the tools to challenge that assumption.
Important considerations beyond personal preference
Assuming we've settled on a definition of "right", let's discuss how to select the right authentication strategy for your Headless Shopify store.
Other considerations for authentication strategy selection include:
Will Shopify always be your e-commerce platform of choice? Are you sure?
Will you have other third-party integrations which will necessitate you having the authoritative record of "the user account" under your control and on your systems?
Does your organization's governance structure require this?
How feasible does the sophistication of your development team make it to migrate from one to another with minimal user impact at some point in the future?
How able are you (or your dev team) to address and comply with regulation concerns like GDPR in a custom implementation of the above mentioned reference packages?
These are definitely many, many more, but these are the ones that generally come up first and most frequently.
Not only that, these considerations are FAR from being it. For instance, what about UX?
UX as it relates to authentication goes much further than "how does the user login?". For instance:
Do you need to do retargeted marketing? What you are capable of achieving with your selected strategy may impact what you are able to accomplish with these marketing efforts.
How long are sessions? Do you need to control this?
Are you OK with putting someone else (i.e. Shopify) in the driver's seat on this? You should not be unless you have fully tested a site which uses Shopify's Customer Accounts API. More on this below.
What about the checkout experience? Should users be logged-in during checkout? Or is having their email address populated when they arrive at the checkout page enough?
Do you plan to do subscriptions or memberships on your site? Huge impact here.
The process of selecting an appropriate authentication strategy for a growing business is indeed nuanced. This list of considerations is obviously lengthy and perhaps daunting.
But failing to address these considerations during the planning and scope phases of your product will likely result in greater pain up the road.
This is definitely a two marshmallows type situation.
Alright, enough gibber gabber. Here is what you need to know.
Option #1: Implement a reference authentication package
Choose this option if you want one of the following as your authentication flow:
A login form with a username and password
To use Single Sign-on service like Google, Facebook, etc.
You want to allow “magic links” - i.e. the user enters their email, a link is sent to their inbox, they click it and are logged in
Also this is the best place to touch on the caveat we mentioned above in the “Authentication for stores using Shopify themes” section.
This option is the most similar to how authentication works with a Shopify theme. It comes with the major distinction, however, of your data remaining your data. Your systems, your database, etc. are the authoritative source of the user record and not Shopify’s. This is huge when future-proofing your store for future growth.
Option #2: Use Shopify’s Customer Accounts API
Choose this option if you want Shopify’s “Cadillac” authentication experience via OTP (one time passwords).
Here’s how this authentication flow works:
Your user clicks login
They are taken to a Shopify-hosted page with one field (email) and a button
They enter their email and submit
They are sent a One Time Password in the form of a 6-digit number
They come back to your site and enter this 6-digit number
If the number is correct they are authenticated
It is a great, low-friction flow for your users with two BIG benefits:
You users do not need to remember (or otherwise keep track of) another set of credentials. I don’t mean to offend you, but as much as your site means to you, it means practically nothing to your users. Asking them to store yet another set of credentials can add to UX friction and lower conversion rates.
Users will be fully authenticated when they arrive at the Shopify-hosted checkout page that all non-Shopify Plus stores use for checkout. This means even less friction still, as they have many fewer fields to complete to finalize their transaction.
Point #2 makes this authentication method the only way to achieve the same checkout experience as you would get when using a Shopify Liquid theme. All other methods of authentication for a Headless Shopify store cannot provide this benefit.
TL;DR - A framework for how to choose
That’s a lot of information on a topic that many people don’t normally give much thought. So how is one to choose based on all of the above? Here is a distilled list that simplifies the information above:
Are you OK with a Shopify-hosted (and branded! Yeah, you can’t change the branding on this page as of this writing) login page? If not, choose Option #1.
Are you OK with being completely reliant on Shopify for all user data? If not, same answer as above - no Shopify Customer Accounts API for you.
Do you want a traditional login page? Option #1
Do you want / need (per org governance perhaps) to have your authentication handled internally? Option #1
Do you want maximum data portability should you choose to replatform away from Shopify at some point? Option #1
Do you want to avoid responsibility for authentication within your systems entirely? Option #2
Do you prioritize an authentication flow with the lowest-possible friction? Option #2
Do users need to be fully authenticated on the Shopify-hosted checkout page? Option #2
There is an option #3, but eh…
There is an Option #3 (or #1.1?) which is to implement a SaaS / hosted auth solution, i.e. same overall situation as Option #1, but you pay monthly to a company to accomplish the same thing.
The set of considerations are more or less similar to Option #1, but it’s just hosted on someone else’s computer, and you pay a monthly fee for some elegance and simplicity. An example of this is a service like Clerk.
Again, two marshmallows.
Wrapping-up
That’s a quick crash course at the not-so-technical level in how you should be considering authentication options for your Shopify site. We hope it was helpful, and of course feel free to reach out to the team Rendr Software Group to discuss your authentication strategy specifically or your site in general.