For employees

Why we built HowsWork without employee logins

Adam Johnson (founder)

Adam Johnson (founder)

2 min read
Why we built HowsWork without employee logins

When we started building HowsWork, one of the first decisions we made was to remove employee accounts entirely. No usernames. No passwords. No individual logins of any kind.

It was a deliberate choice, and it shapes everything about how the product works.

The problem with accounts

Most workplace tools are built around identity. You log in, and everything you do is tied to your account. That makes sense for most software. But for a tool designed to help employees raise sensitive workplace concerns, it creates a fundamental problem.

If an employee submits a concern through a tool that knows who they are, the promise of anonymity is always conditional. It depends on the platform never being breached, the employer never being given access to identifying data, and no one ever being able to connect a submission to a specific person. That is a lot to ask someone to trust, especially when they are already in a vulnerable position.

We wanted to build something where the anonymity was structural, not just promised.

How HowsWork works instead

Rather than individual accounts, everyone on a team accesses HowsWork using a shared rotating PIN. The PIN changes regularly, and because everyone uses the same one, there is no way to link a submission to a specific person. Not for the employer, and not for us.

This means when an employee submits a concern, there is no account record, no login timestamp, no user ID. There is simply a concern, stripped of the information that would make it traceable.

The trust problem in anonymous reporting

Anonymous reporting only works if employees genuinely believe it is anonymous. If there is any doubt, people stay silent. And when people stay silent, real workplace issues go unaddressed.

We have seen this play out in research and in practice. Tools that require individual logins, even when they promise anonymity, see lower participation rates because employees do not fully trust them. The mechanism matters as much as the promise.

By removing accounts entirely, we removed the doubt. There is no login to trace, because there was never a login to begin with.

The tradeoff

We are aware this approach has a tradeoff. Without individual accounts, employers cannot see response rates at an individual level or send tailored reminders. Some analytics that would be possible with accounts are not available.

We made that tradeoff deliberately. The value of a reporting tool depends entirely on whether employees use it honestly. Protecting that trust is more important than the data we give up by not having accounts.

What this means for employers

For employers, the no-login model means you can genuinely tell your team that submissions cannot be traced back to them. Not because of a privacy policy. Because of how the system is built.

That is a meaningful thing to be able to say.

Read more