3 Rules for Painless Account UX

Online accounts give users privacy, control and a personalised experience (imagine Facebook without accounts!). Account management — registration and log in — is, therefore, a necessary evil. Except when it goes wrong, no user likes or cares about account management, they just want to access the service.

You can make account management less evil by following three little rules:

1. Don’t make the user guess

Almost every service on the web handles account management slightly differently. As a result, you have to be explicit about the requirements for your service. Otherwise, you’re just being cruel.

2. Balance security with usability

Often, security folk will insist on an approach that compromises the user experience. This is foolish, because poor usability will lead to workarounds, and workarounds in turn lead to weakened security. Instead, aim for a design that is both secure and usable.

3. Keep it simple

Account management is one of your biggest potential barriers to usage. Make the barrier practically invisible through a simple, seamless, pain-free design.

Let’s look at how these three rules can be applied to registration and log-in. We discuss registration below; log in will be covered in a second article to follow soon.

The User Registration Process

Rule #1: Don’t make the user guess

• Warn the user — ideally before they start — if they are going to have to do something to verify, before their account will be created.
• Let the user know if usernames are automatically set by the service.
• Allow — but don’t insist on — login with third party services like Facebook or Twitter.
• Spell out any requirements for username or password before this information needs to be entered [1]. In particular, let the user know whether:
  1. there are restrictions on length, characters, words or phrases
  2. spaces — and thus passphrases — are allowed
  3. such fields are case sensitive.

Example: What not to do.

Amazon doesn’t explain its password requirements until after form is submitted and the chosen password fails. How hard would it be to put “Case sensitive, minimum of 6 characters.” underneath the first password field?

Example: A better approach.

Wufoo is up front and transparent about password requirements.

Rule #2: Balance security with usability

• Avoid setting restrictions on usernames.
• Avoid complex password requirements; this will only lead to users writing down their password and/or using the same passwords across multiple services.
• If you have a password strength meter, make sure it reflects up-to-date practice, otherwise don’t have one at all.

Example: What not to do.

Ebay — who recently suffered a massive data breach and responded embarrassingly poorly — don’t allow passphrases (several words separated by spaces). Yet many consider passphrases to be the most practical, secure and usable approach to passwords (see, for example, [2] and [3]).

Example: A better approach.

Envato allow passphrases. The passphrase I had entered is “This is a phrase”.

Rule #3: Keep it simple

• Avoid repeated fields (e.g. asking for password to be entered twice) and instead provide a simple (but secure) way to reset such data. (For more about repeated fields, see [4]).
• Ask for just what you need in order to create the account; you can always ask about other things later.
• Don’t ask for personal information (e.g. date of birth) unless you really need it.
• Inline validation is nice, but don’t do it before the user has had a decent amount of time to enter data.

Example: What not to do.

Deals.com.au requires double entry on both email and password!

Example: A better approach.

Trivago keep things very simple.

---

Keep an eye out for the second part of this article, on log in, to be published soon!