Glossary
What is client authentication? Definition
June 4, 2026
Customer authentication is the process that verifies the identity of a buyer before giving them access to their customer account, their order history, or sensitive actions (address changes, returns, subscriptions). In e-commerce, it is distinct from payment authentication (3D Secure): the former identifies the person on the store; the latter validates the bank transaction.
Summary
Definition: authentication, identification, and authorization
Authenticating a customer means confirming that they are indeed the person associated with the entered account or email, via a proof factor: password, one-time passcode (OTP), magic link, social login, or Shop recognition.
Three closely related concepts. Identification: the customer says who they are (email, customer number). Authentication: they prove their identity (received code, correct password). Authorization: the system determines what they can do once logged in (view orders, edit profile).
Useful distinctions in e-commerce. Customer authentication vs. guest checkout: as a guest, the customer purchases without a persistent account; the email may suffice for order confirmation, without a long-term authenticated session. Account authentication vs. payment authentication: 3DS or bank verification does not replace logging into the customer account. Login vs. sign-up: account creation registers the profile; authentication occurs with each new session.
Why client authentication is important
Thoughtful authentication balances security, trust, and friction at checkout.. Data protection: orders, addresses, saved payment methods, loyalty programs. Personalized experience: recommendations, history, quick repurchases for recurring customers. Self-service: parcel tracking, returns, invoices without contacting customer service. Marketing: qualified email and SMS list in the customer database (with consent). Fraud prevention: account access is harder to hijack than a simple unprotected email link.
Too much friction (complex password, double entry) increases cart abandonment. Too little security exposes to account takeovers. The challenge is to secure without blocking conversion.
Customer authentication on Shopify
Shopify offers two generations of customer accounts. New customer accounts (recommended): passwordless authentication via email code, Shop login, Google/Facebook options, self-service returns, app extensions (Shopify Changelog, Feb. 2026). Legacy accounts (email + password, Liquid templates customers/login.liquid): deprecated since February 2026; sunset announced for later in 2026. Migration is advised.
Activation: Shopify admin > Settings > Customer accounts. Existing customer data (orders, addresses) is preserved during migration; only the login method changes.
For headless storefronts: Shopify points towards the Customer Account API (OAuth 2.0) rather than the legacy Storefront API mutations. Apps customize the account page via Customer Account UI extensions.
Third-party apps (B2B SSO, phone login, 2FA) complement native authentication. Verify compatibility with new customer accounts before installation.
In summary
The essential points to remember are as follows. Client authentication = proving identity to access the account and sensitive actions. Distinct from payment authentication (3DS) and compatible with guest checkout. Shopify 2026: new passwordless accounts; legacy deprecated. Objective: security + self-service without excessive friction. Migrate, communicate, test apps and mobile journeys.
Associated terms, FAQ, and resources
Associated terms
Customer account: space accessible after authentication.
Checkout: purchasing journey, guest or logged in.
3D Secure: banking authentication during payment.
Customer experience: perceived quality of the login and account journey.
FAQ
Should account creation be mandatory to purchase?
No, in B2C it is recommended to keep the guest checkout and invite users to create an account after purchase. Mandating it often increases cart abandonment.
Do new Shopify accounts still have a password?
By default, no: login via email code (OTP) and Shop / social options. Apps can reintroduce email + password on the new accounts framework if needed.
Customer authentication and GDPR: what to prepare?
Clear privacy policy, separate marketing consent, ability to exercise access/deletion rights, login logs limited to what is necessary.
What happens to legacy accounts in 2026?
Shopify deprecated legacy accounts in February 2026. A sunset date will be announced; migrate to new customer accounts to keep returns, extensions, and support.
Going further
Sources: Shopify Changelog (legacy customer accounts deprecated), Shopify Help Center (Customer accounts).
Enzo
13 May 2026
Convert over 2,000 customers on average per month with Qstomy.
The world’s 1st Shopify AI dedicated to customer conversion
Empowering 200+ e-commerce merchants
Subscribe to the newsletter and get a personalized e-book!
No-code solution, no technical knowledge required. AI trained on your e-shop and non-intrusive.
*Unsubscribe at any time. We do not send spam.