Your customer is your most valuable asset, but they are not always easy to please. Here’s a quick list of 15 ways how to annoy users and how not to deal with user identity:
1. Generate a username for them
Users can’t remember their passwords, what hope do they have of remembering their username, especially if it is something cryptic with a number at the end? Use an email address or let them decide.
2. Generate a password for them
Trying to be helpful is a surefire way to make your user do a password reset every time they want to log in. For bonus points, send the password to the user in an unencrypted email.
3. Create a restrictive password policy, such as no spaces or no special characters.
More and more users understand password complexity and plan their passwords accordingly or use passwords generated by password managers on their browser.
4. Force them to log in again after changing their password – just to make sure it is still them and they really want to use your online service
It’s annoying enough to have to reset or change a password – try to streamline the process as much as possible so the user can get back to what they came for in the first place.
5. Expire the password so often that they could never ever remember what it is
NIST SP 800-63 ( https://pages.nist.gov/800-63-3/) recommends avoiding password expiry policies because their studies show that users tend to choose weaker memorised passwords when they know that they will have to change them often. And when they do change them, they have a habit of selecting a similar password but just changing something, like increasing a number in the password.
6. Don’t explain why they need an account, i.e. what is the benefit for them
What is obvious for the site designer may not be clear for the user. Simple things like “remember preferences”, “continue where you left off on another device”, “share content faster” or “securely save documents” are things that are useful and understandable for the user.
7. Design the page so that it is impossible to use on mobile, tablets or TV devices. Popups and iFrames can help you here.
In case you didn’t notice, most internet users are now predominantly on mobile devices. Format your login page accordingly, so it works well across all of these devices.
8. Forbid linking the account to social logins
Unfortunately most users don’t want yet another username and password. Let them log in using some existing credentials from a popular service used by your user community. It may be a social network, but don’t forget complementary third-party services.
9. Hide the login button from your main website and never include the URL in any email communication
Sounds ridiculous, but it is sometimes hard to find the actual way to sign in to some services. The top right of the screen is a good place to put a link. Make it look like a link or a button. For services that choose to not put any links in email communication, describe explicitly where and how to log in (e.g. “Press My Account at the top of our home page”).
10. Make it impossible to log out, or if you can log out, hide the button well and don’t notify the user that logout has been done
If a user can’t log out, it’s like leaving the house without locking the door. Some users appreciate a reassuring click behind them when the door closes.
11. Make the session as short as possible so that any transaction will fail with a timeout before complete
How many times have you been interrupted doing a simple transaction (travel booking, application form etc.) for only a few minutes to find all your time was wasted by a session expiry. Design your web app to allow the user to continue from where they were.
12. Use MFA (multifactor authentication) exclusively, even when a certain common transaction does not warrant its use
Do I really need to sign in with a military-spec smart card just to see the status of my order?
13. Ensure your error messages are as generic or obscure as possible and do not tell the user what they need to do to fix the problem, if anything
You will leave your valued customer with two choices: abandon your service or contact support. Neither are good for business.
14. Provide no contextual help text and never show an email address or phone number that they could contact for more help
Try to help users solve their own problems, but let them get in touch when all else fails. Fix the underlying causes for any repetitive support requests.
15. Force your users to create accounts at each different part of your website and make them log in separately to each
Your users do not care that the services from the same company are from different business units, different development teams, use different technologies or are from different SaaS providers. Standards exist to help you achieve single sign-on. Show some respect for your users and give them one account to access all services from your business.
Don’t worry! Ubisecure can help your business delight your users by avoiding these common pitfalls. Contact us for a demo today.