OpenId login is becoming more common these days and will probably become fairly ubiquitous soon. It is a new kind of login where you only need to have a username and password on one website on the Web, which you use to log in to other sites. The use of OpenID bypasses a number of the issues that you raise.

However, a number of user experience issues have started to crop up with OpenID’s implementation into sites. For example, on Onaswarm (a lifestream social network), the OpenID login looks like it requires a password (but there is no need for a password with OpenID) and does not function unless the ‘http://’ part of the url is included (yet does not mention that it requires it). Still, we live and learn…

Excellent article on User Sign-in. This study provides quite a lot of information for UX and Usability engineers to set goals and standards. I agree in except for the #13.

Thanks again.

This is great information to think about before designing a sign in. I think of only part of my problem as not thinking through the design to better address these kinds of issues up front. The bigger part is not finding a way to let my users tell me when I am making mistakes. How do we make it easy for any user of our websites to quickly and easily give us feedback on their experience? I would think a quick rating sytem (select 1 through 9) would give only a crude measurement of effectiveness and user satisfaction with my website. Alternatively, asking them to type a long explanation that would provide specific information does not seem to be very user friendly either.

Thanks,

I do have to take issue with your assertion on Mistake #12: “Coding the return point from the registration process is technically very difficult.” It’s not difficult at all. That information can be stored several ways (e.g. on the url, in a cookie, in a server-side session) so it’s available at the end of the registration process.

I also disagree with #13 - Not Explaining If It’s The Username or Password They Got Wrong. As a user, when I fail a sign-in, I wish I knew what was wrong, but as a developer I know it would significantly reduce the security if we told the user what was wrong: the username or password. The solution is to provide a way for the user to retrieve both the username and password through a smart and secure method. I don’t think it should be configurable by the user since they often don’t understand the consequences.

Regarding #11 - Using Challenge Questions They Won’t Remember In A Year, I agree and would suggest this goes further than remembering in one year. Security questions actually present a hole or weakness in a sign-in and in reality should be called “in-security” questions. However, the risk is low if developed correctly and developers use “good” questions. After being frustrated on numerous websites with “favorite” questions (which are poor questions), I decided to offer a list of questions that developers can use along with my opinions about which are better than others: http://www.goodsecurityquestions.com/examples.htm

Thanks again.

This is just another case of security -vs- UX trade off, but in this case I agree with this kind of solution.

Accurate error messages are great for everyone trying to enter the account, and it’s not just you, it could be i.e. a hacker. If the system explicits that the username is VALID, thay can just fix it and try passwords until violate your account. Besides, sometimes the username is an email address, and that’s ALL a spammer need to know about you. If the system helps them to discover the customer’s email, it will produce a huge user experience detriment via spam…

It would be great to have the best of all worlds, but in this case, I think the trade off is completely necessary and the examples you presentes are a good solution.

Ok, maybe it should be configurable by the user. After all, he should be the one to decide about what is worst for him… What do you think?