Usability expert Jared Spool has written a couple of articles on how companies can avoid design mistakes on their web sign-in pages. Here is his list of common sign-in problems:
- Having a Sign-in In The First Place
- Requiring Sign-in Too Soon
- Not Stating the Benefits to Registering
- Hiding the Sign-In Button
- Not Making "Create New Account" or "Forgot Your Password" a Button or Link
- Not Providing Sign-in Opportunities at Key Locations
- Asking for Too Much Information When Registering
- Not Telling Users How You'll Use Their Information
- Not Telling Users the Requirements for Username and Password Up Front
- Requiring Stricter Password Requirements Than The NSA
- Using Challenge Questions They Won't Remember In A Year
- Not Returning Users to Their Desired Objective
- Not Explaining If It’s The Username or Password They Got Wrong
- Not Putting A Register Link When The Sign-In Is An Error
- Not Giving the User A Non-email Solution To Recover Their Password
- Requiring More Than One Element When Recovering Password
A few more suggestions (these might be rare but are really annoying!):
- Don't limit the number of tries people get. Okay, maybe there's some rationale for limiting it to, say, 100 to stop automated password sniffers, but limiting it to three is just silly.
- Don't use an account number as a user ID. That makes it easy for the site to keep unique user IDs, but it forces the user to search through their e-mail every time they want to log in. Ironically, this mistake is committed on the member site of the Usability Professionals Association.
- Don't change your system every two months. It seems like every time I log in to some places they've got a new set of challenge questions, pictures, or some crap that just makes the whole thing slower and more frustrating.
I have had the worst web page sign-in experiences with medical sites. I love that I can now access my records and communicate with my doctor online, but it's so difficult to remember how to log in and I do it so infrequently that it's a struggle every time. Part of the reason may be the US HIPAA privacy regulations (which are certainly important, don't get me wrong). My doctor's site has extremely strict requirements for passwords and user IDs, and the only way you can get a reminder is by snail mail (and actually they assign you a new password, so you can't sign in if you happen to remember it before the mail arrives). So what happens to me is I'll get a phone message or email that just says "you have a message -- please log in." I try to log in and fail, so I request a reminder. Two weeks later I receive a new password in the mail but by that point I've already called them so I don't need to log in. The letter with the new password gets buried (or I choose a new password and forget it) and then months later I go through the whole thing again. Granted I'm not the most organized person in the world, but this still seems tougher than it should.
See also this article by Anna Pickard in the Guardian today: Are you suffering from password pressure?