Case Study · Jack in the Box · Identity & Authentication

We killed the password —
and guests stopped calling.

Passwords were quietly undermining the Jack in the Box digital experience — generating support contacts, enabling account takeovers, and failing guests at the front door. Magic Links fixed all three.

26%
Drop in guest relations contacts — driven in part by removing password friction
99%
Sign-up success rate — nearly frictionless account creation
Mid-90s
Sign-in success rate — guests get in, reliably, every time
0
Account takeover incidents — credential stuffing attacks eliminated
Brand
Jack in the Box
Role
Director of Product
Scope
iOS, Android, Web
Focus
Authentication, Identity, Security
Context

The password was doing more damage than we realized.

Passwords feel like table stakes. Every app has them. But in a high-frequency app context — where a user's goal is to order quickly, redeem an offer, and move on — a password is a meaningful obstacle. Forget it once and you've lost the order. Forget it twice and you've lost the guest.

At Jack in the Box, the pattern was consistent. Password-related issues were a material driver of guest relations contacts. Guests who couldn't sign in weren't just frustrated — they were calling the Guest Relations team, abandoning their orders, and in some cases, losing access to loyalty points they'd earned. For a digital experience that was supposed to drive incremental revenue and loyalty, the authentication layer was creating churn at scale.

There was a security dimension too. Passwords don't just frustrate guests — they create attack surface. Credential stuffing, where bad actors try username-password combinations harvested from other data breaches, was producing real account takeover incidents. Guests were losing access to their accounts. Their stored payment methods and loyalty balances were at risk. The password wasn't just a UX problem. It was a security liability.

"Passwords were generating support tickets, enabling account takeovers, and failing guests at the exact moment they were trying to engage with the brand. We decided to remove the problem entirely."

Challenge

Removing the password without
replacing it with something worse.

Passwordless authentication isn't new. But the options come with real trade-offs, and the wrong choice could trade one set of guest complaints for another. The authentication experience had to be simpler and faster than a password — not just different.

01
Forgotten passwords → support contacts
Password resets were the single most common reason guests contacted the support team. Every reset that failed to arrive, confused the guest, or expired too quickly became a ticket.
02
Credential stuffing → account takeovers
Passwords shared across accounts — a near-universal behavior — meant that when guest credentials were exposed in third-party breaches, Jack in the Box accounts became targets. Account takeovers were happening.
03
Failed sign-ins → abandoned orders
A guest who can't sign in can't redeem a loyalty offer. A guest who can't redeem an offer has less reason to use the app. Authentication failure was directly connected to order abandonment.
04
New account creation → drop-off
Sign-up flows with password requirements — minimum characters, special characters, confirmation fields — added friction at the top of the funnel where first impressions matter most.

The solution had to work for a broad consumer audience — not especially tech-forward, often transactional, frequently in a drive-thru mindset. It had to be universally intuitive, work across iOS and Android, and not introduce a new class of failure modes. We landed on Magic Links: a tokenized, single-use link delivered to the guest's email that signs them in with one tap.

What I Did

One tap to get in —
nothing to remember.

The concept is simple. A guest enters their email address. We send them a secure, single-use link. They tap it, they're in. No password to create. No password to remember. No password to forget. The email address becomes the identity — and the link is the credential.

Simple concepts require careful execution. Magic Links only work if guests trust them, receive them reliably, and understand what to do with them. We treated deliverability as a product requirement, not an infrastructure afterthought. Email timing, subject line clarity, and link behavior on mobile — particularly deep-linking back into the native app rather than dropping guests in a browser — were all pressure-tested before launch.

"The bar was not 'better than passwords.' The bar was: does a guest who has never heard of a Magic Link know exactly what to do when they see one? We tested until the answer was yes."

The sign-up flow was rebuilt around the same principle. No password field. No confirmation step. Enter your email, tap the link, you have an account. The mechanics were consistent whether a guest was signing up for the first time or signing back in after six months away.

On the security side, the architecture was inherently stronger. Magic Links are single-use and time-limited — there are no stored credentials to steal, no reused passwords to exploit. Credential stuffing attacks require credentials. Without passwords, the attack vector disappears.

Remove the problem, don't manage it. Password resets, lockouts, and complexity rules are all downstream of the password existing in the first place.
Email is the universal identity layer. Every guest already has an email address. Magic Links use the channel they already trust without asking them to manage a new credential.
Deliverability is a product decision. A Magic Link that arrives in spam or takes 90 seconds has failed — regardless of whether the underlying technology worked correctly.
Security and simplicity aren't a trade-off here. The passwordless model is more secure than passwords, not less — because it eliminates the credential layer that attackers exploit.
Results

Fewer complaints, zero takeovers,
and guests who actually get in.

The headline is the 26% reduction in guest relations contacts. That number reflects a lot of things going right at once — not just authentication, but the broader app experience. But password-related contacts were a significant driver of that volume before Magic Links, and they've effectively disappeared since.

26%
Drop in guest relations contacts — password friction was a primary driver of support volume
99%
Sign-up success rate — account creation that almost never fails
Mid-90s
Sign-in success rate — guests authenticate reliably, every session
0
Account takeover incidents — the attack vector no longer exists
Identity theft exposure — no stored credentials means no credentials to steal
1
Tap to sign in or sign up — the entire authentication experience, simplified

The operational benefit compounds over time. Every guest who doesn't call support because they forgot their password is a guest who stayed in the app, completed their order, and had a better brand experience. At scale, that's not a small thing.

The security outcome is even cleaner: you can't steal what doesn't exist. By removing the password, we removed the attack surface. Account takeovers — which require stored credentials to exploit — went to zero. A better guest experience and a stronger security posture turned out to be the same decision.

Related reading
What Friction Actually Costs
Still managing password resets and account takeovers?

The better experience and the more secure one are usually the same move. Let's talk about how to get there.

Connect with me