States of Login
September 23rd, 2007
In the 60’s television show, Get Smart, the opening credits have the lead character, secret agent Maxwell Smart, entering the his agency’s headquarters. He progresses through a series of doors, unlocking each to get deeper into the secure facility. This is similar to how many login procedures currently work.
In my recent post, The Sign-in Travesty, one reader, Ron, talked about his frustration with Amazon.com’s frequent login requests. It’s not unusual for a user, when shopping on Amazon, to need to sign in even though the site has clearly demonstrated they are aware of the user’s identity.
One thing Ron said really jumped out at me:
… the user is either signed in or logged out, there’s nothing in between…
This is a desirable way to think of Amazon’s security. Unfortunately, it doesn’t match how the site works. It works more like the secret headquarters where Maxwell Smart works.
On Amazon (and other sites), there are multiple levels of security, each intended to protect the user from an unintentional breach or fraudulent use of their private information. The user proceeds through each level, as necessary.
At first glance, there are 3 levels of security:
Level 0: Amazon doesn’t know who you are (no cookie).
Level 1: Amazon knows you from a cookie. It’s how they know what books to recommend, what credit card use for 1-click.
Level 2: Amazon wants to reveal something that only you should know, such as your address or your shipping history.
The designers at Amazon have cleverly created more than a either-you’re-signed-in-or-you’re-logged-out perspective.
If looking to simplify the design, one could ask, “Why not combine level 1 with level 2?” Simplifying is always good, but there’s information you want to protect and there’s information that Amazon deems is harmless if someone other than you boots up your machine and visits their site. The separation in the two levels helps Amazon keep the user experience feeling personal, while preventing accidental privacy violations.
However, this more sophisticated model comes with a price. We can see this in the normal interaction of the site.
A user brings up the site and is greeted with their personalized banner.
The personalized banner Amazon uses for Level 1.
Because the site knows who the user is, it appears to the user that Amazon has logged them in, much like Ron suggested. Let’s say our user wants to check the status of an order. Amazon thinks this information is more private, so now it asks for a password.
The Amazon Sign-in page
This is where Amazon gets itself into trouble. The sign-in page doesn’t explain why the site suddenly displays amnesia, even though it knew the user a second ago. Out of nowhere, it requests the user id and password.
We’ve observed this sudden request startles users. A simple solution could be to provide explanatory text (or a link to explanatory text) telling the user the site is about to reveal personal information and wants to ensure it’s really the user at the keyboard. Giving users a reason for the sudden sign-in would improve the situation.
This is similar to another problem users frequently experience on Amazon: the disappearing stored credit cards. Many Amazon users opt to have the site remember their credit card information from one purchase to the next. It speeds up the purchase process and increases customer loyalty.
However, Amazon occasionally experiences more amnesia as it spontaneously seems to forget the stored credit card info. One instance is when you try to buy a gift certificate. In this case, Amazon only displays their “Pay with new card” functionality, pretending no information has been retained at all. To the user, all their stored information has mysteriously vanished.
Buying a gift certificate forgets stored credit card information
What Amazon doesn’t say is why they do this. It’s for the user’s protection. A common trick used by the evil individuals who steal user names and passwords is to quickly buy a gift certificate, which is basically like printing money using the users credit card. So, to protect the user, Amazon makes them re-identify themselves by having them re-enter the credit card information.
Again, the problem isn’t Amazon’s sensitivity to the user’s security — that’s a good thing. It’s the missing information about why the user’s information has temporarily disappeared. In essence, this is Level 3 security — Amazon wants to ensure the user’s site access information hasn’t been stolen. But, like Level 2, the user doesn’t have a model of its existence.
Multiple levels of security are great. However, designers need to learn ways to explain these more complex models, so users don’t panic when they encounter the security measures. Sophisticated security models are not intuitive for most users, so training is a required part of the interface design.
September 24th, 2007 at 7:20 am
Jarad’s explanation is very useful and points out a pattern I see a lot, namely the unconscious perspective from the devloper’s side of “Since I know the user is safe (or the computer is crunching, or the data has been saved), it’s not a user issue.” One of the great benefits of usability testing has been the many aha moments I’ve witnessed where developers see users fear what the developer has already protected against, or redo what the program has done, or show anxiety over issues the programmer anticipated and took care of. As Jared points out, the solution is universal: Tell the user what and why.
September 24th, 2007 at 11:03 am
The same type of login pattern is used on LinkedIn. When I first go to the site, it’s personalized with updates for me about my network. However, if I try to do anything it feels is more “private”, it prompts me for me password. It’s a very annoying thing to do because it completely interrupts my thought process.
It goes something like this: Open up LinkedIn. “It’s been a while since I’ve been here, let me check if there’s anyone new I know in my network.” Click My Contacts tab. Click Colleagues link. Click Find New button. “Hmm, I don’t recognize any of these people.” Click “I don’t know anyone here” link. Sign In page comes up. “WTF? That doesn’t even makes sense! Why did it let me view my contacts, see the list of potential connections, and then when I don’t know anyone, it asks me for my login information?!”
At least with Amazon.com there’s financial information to protect. What is LinkedIn trying to protect against, I wonder?
September 24th, 2007 at 11:31 am
I enjoyed this post — you make some good points here :).
As a minor nit, I think you may have meant to include an apostrophe in the context of “using the users credit card”?
September 24th, 2007 at 12:25 pm
could it be as simple as changing the label for the functionality presented: what if instead of “sign in”, they asked the user to “verify your identity”
September 24th, 2007 at 12:45 pm
“So, to protect the user, Amazon makes them re-identify themselves by having them re-enter the credit card information.”
Partially, but that’s not the whole reason. I send a lot of gifts with Amazon, and it seems like they remember which credit card you use to send things to which address. They remember you used your credit card to send a book to your office, but if you try to send something to a different address, you have to enter the card again because you’re using it to send something to a new place. I guess this prevents someone from using your computer to buy something and send it to themselves?
September 24th, 2007 at 2:49 pm
Something else unusual is that account uniqueness is based on email address *and* password. I got myself into a muddle with my passwords, and now have 2 accounts with the same name email address, but different passwords. Lots of confusion occurs, as Amazon seems to have forgotten everything about me.
Once I worked out what was going on, I can make sure to use one or the other, but I still sometimes forget.
Amazon will not merge these two accounts.
September 24th, 2007 at 3:15 pm
Huh. I always assumed that they were just poor developers, and forgot my login when going from module to module. It never occurred to me that I was crossing into a different level of secureness. (And buy.com does the same thing.)
Tom, you may need to keep trying until you find the right person– I also had dual accounts due to a password muddle, but I got Amazon to merge them. Granted, this was a while back and their policies may have since changed, but it may just be a matter of calling back until you get someone clueful.
September 24th, 2007 at 3:24 pm
Brilliant, Jared.
September 24th, 2007 at 4:13 pm
Jared, great article again. The comment i made in the article The Sign-in Travesty was one from a customer point-of-view. I’m aware of the security issues Amazon has to deal with, and i’m glad that they do
I agree with you that Amazon would benefit from some extra customer guidance / extra information about the actions the user has to take and maybe just as important: the reason why. It will not only improve the usability for the user, but it also shows that Amazon handles your private information with care (and that will improve the user experience even more)!
September 24th, 2007 at 4:38 pm
IIRC, Yahoo does this, usually when you’re switching from viewing (like news, personalized homepage, etc.) to potentially acting (email, Flickr, groups(?)). I find their explanation very concise and helpful.
September 25th, 2007 at 3:27 am
[...] States of Login » UIE Brain Sparks Jared Spool explains the different levels of Amazon login. I’ve seen every type of behavior he describes, but never understood why Amazon was set up that way. His explanation helps a lot and Amazon should take his advice and add explanations to its site. (tags: amazon security ux userexperience usability) [...]
September 26th, 2007 at 5:31 am
I’ve long been curious about this aspect of Amazon, it’s something I quite like about it because if you want to just browse for a bit, you don’t need to authenticate in order to get personally tailored content.
The one thing that did piss me off big time about Amazon (on the .co.uk at least, and I think they’ve fixed it recently), was their login form. It had the email address field, then radio buttons for “I’m new”, or “I’m a returning customer, and my password is: (text input field)”.
This is great and intuitive, but if you land on this page suddenly when you attempt to access order information or something on the high security level, your eye recognises a login form with two text input boxes and a login button. Straight away you type a password into the relevant field and hit enter on the keyboard, but wait! The radio button is still in the default position of “I’m new”.
They recognised the problem, but rather than solving the issue properly, they handled the symptom with a special error message: “You said you’re new but you entered a password. Please go back and sort it out.”
As I say, I think they’ve resolved this now, but this was a glaring error for several years.
September 26th, 2007 at 2:31 pm
I recently placed an order on a site called Knitpicks.com, which exhibits a different annoying behavior. It allows you to select items and place them in your basket, just as Amazon does. When you try to check out, it prompts you to login–again, apparently manifesting the same behavior as Amazon. But when you do check in, it empties your basket! That is to say, it forgets about tempuser192837, realizes that I’m Emily, and shows me my own basket, which is empty, since I purchased everything out of it the last time I used the site, months ago.
The only ways around this are to register a new account (using a new email address, or you’ll get an error) every time you use the site, or to remember to log in immediately when visiting the site–even though it has cookies that make it seem like this is unnecessary.
The site drives me up the wall, and I’ve emailed them to explain the problem, but no response yet…
August 27th, 2008 at 11:21 am
Regarding Natasha Lloyd’s comment about Linked In I think in a different way and must say that the Linked In log-in is one of the best. Why ?
Let’s say you use Linked In website once a week, the idea is that when you come back you can still browse the web site but if you want to make an action such as: comment, modify personal data, add friend you must register.
And the problem here is the same, the lack of explanation not the process.