How to know if authentication is really a requirement

Question

We have a small webapplication where users can mark spots on a map. We don't authenticate users, because we don't need to. Marked Spots aren't secret at all, everybody should see them and things should be very open and transparent to everybody. Because there is nothing to authorize we also don't need to authenticate. Nevertheless we keep something like a user profile in a cookie. A user can store default values for some fields in this "wallet" cookie so that he only need to type it once.

That's our little anarchy app ;) ...but as said: It's simple and it's fast and the users like that.

But:

• Basically there IS a need of some security, just to make sure the system isn't filled with nonsense from people who aren't interested in the intention of the app. So from my point of view that is a nonfunctional requirement (my point of view as an system architect)
• Also the (group of) users say that they want "a login" for some reason, but actually they can't tell why

What I am trying to do now is to find out what they really want. I assume their requirement isn't "authentication" but something they think that a login is needed for. So for our next couple of sprints I am trying to formulate some user stories to cover this requirements and to ask the users for their goals and benefits.

My question now is: Does it make sense to write a user story like this?

As users of system XY, we want user authentication by login, so that we can be sure that only serious input is generated.

In other words: How would you point out the need for authentication and how it should be done (to keep things simple and not to provide an obstacle for users)? Can "authentication" be a goal in a requirement?

Some more considerations on this issue:

• Users don't want to type passwords. They want some kind of SSO
• Some users told, that they want everybody to mark spots, but they don't want everybody to see them (so everyone is allowed to write, only some are allowed to read). That's a totally new goal in our app, but I still don't get the benefit yet.
• that also implies, that there are privileged users, and that there is a need for user management, administration UIs and groups and so on...

Answer 1

Yes, it makes sense.

The issue with simple cookies is that if you lose the cookie, there is no way become that user again.

That said I think these stories are what you need (this include the extra points you make):

1. As a logged-in user I want to become anonymous so another user of the same browser won't be identified as me
2. As a user I want to identify as a previous user so I can resume my work
3. As a user I want to register as a (google) user so that I don't have to create new credentials
4. As a logged-in user I want some of my spots to be private so that I can mark places I don't want the general public to know
5. [Epic] As a logged-in user I want to be able to manage my spots

As you can see none of these stories is prescriptive in the way you solve it, or track who is whom. They all describe real, valuable problems that your users might want solved.