The damn thing called password
Having the responsibility for pages like ‘login’ and ‘create account’ comes with a lot of pain. I don’t mean psychical pain. No, mental pain. Why? Because I experienced you can’t increase the login success to 100%. Even 90% seems difficult in my opinion. This all has to do with having passwords. Ok, and a few other difficulties.
At the ANWB we still offer, like most websites, a username and password login. If your users are regularly coming back you can assume they will know their username and password. But if you have users that login once a year to your website you should be realistic. They don’t know their password! And even don’t know their username. This creates a frustration overload and we see this in user feedback from the NPS and the virtual assistant called ‘Iris’.
There are multiple things which can go wrong with a password for a user:
· First not knowing the password, retrying multiple times and trying to guess it
· Not noticing that caps lock was on and retry multiple times
· Typing a wrong password, because they can’t see what they typed in
To deal with these problems users will search for other ways to remember a password: choosing a password that is very short, in most cases with their own name in it and reusing a password that they use for multiple websites. There’s the problem…
Because we make it so difficult for users to login, we’re bringing another problem to the table: Security. Passwords are no longer safe when they have your name in it, when they are short and used everywhere. Your users account can be hacked in an instant and this results in a violation of their privacy.
Survey
We did a survey where we asked to fill in the most preferred ways to login and users were still saying that login with username and password is most preferred with 24% of 1810 respondents. Others chose for login with e-mail and password with 19% and a large group preferred fingerprint (12%).
We can conclude from this survey that offering password is still fine with our users. From my experience this depends on the availability of alternatives the market. For example, fingerprint is a smaller group, because it’s not used by many websites yet. This means users are not always familiar with different ways to login in besides e-mail, username and password. This creates possibilities to get users familiar with other ways and perhaps we can make logging in easier. Not more fun, sadly.
What we also saw in the survey is that the second most frustrating thing was: not giving a notification when caps lock is on. Users would try over and over again to fill in the right password, but without seeing the green light on their keyboard they will eventually end up in the ‘forget password’ flow. With something so simple to fix, you would think it has a great impact on logging in successfully. Think again…
First thing we did was testing how many people have caps lock on when writing their password and not even 1% of the user within that test had their caps lock on. With that you can concluded two things: user don’t have capitals in their password or they fill in the capital with the shift key. We make it mandatory in our flow to create a password that includes at least one capital. So they probably use the shift key. That’s not a bad thing, but good to know. Because now you can exactly find out how they create and write their passwords.
The reason we did this test was to see if we had to pay attention to the problems from the survey. Eventually we decided not to notify the user that caps lock is turned on. It could be something that the user is already aware or do in a different way. I learned as a UX Designer that users will say something else then they will do in real life. They have been lying to me, Shock! They will definitely lie to you.
Another frustration we learned from the survey is not seeing the password when they are typing and we get that. Most websites already offer the functionality ‘show password’ and from the survey we can see that 23% of the respondents finds it frustrating their password is hidden. It’s on the fourth place of frustrating things.
23% of the 1810 respondents in the survey finds it frustrating the password is hidden
We started by setting a test up for ‘show password’. We made an A/B test where we had the current version and the variant with the ‘show password’ functionality. We hoped that the error messages would drop and that the success of login would increase. Sadly, the data wasn’t correct at the end of the test so we’re setting it up again to get better results.
Focus group
We also organized a focus group session with users and they have a lot of frustrations regarding the password. Here are a few:
· Users are annoyed when a password has to comply with certain rules. Like multiple characters, using a capital and a number. This increases the chance of forgetting their passwords.
· They say that they’re using the same password for multiple accounts.
· They expect to be able to retry the password 3 to 5 times. Giving a maximum number of attempts is more important and more logical when the account contains sensitive information. The limit gives users the space to try a number of variations of their password, without a hacker being able to try all combinations without constraints.
· A number of respondents expect to be able to try the password again after a certain time. The time frames that were mentioned vary from a few minutes to a day.
· The respondents expect to be able to request a password quickly as possible for example with e-mail. When they have to wait for help this will cause irritation.
Usability test
We observed in usability research that users would prefer not to login with a password if they don’t use an account often. They see a risk that they won’t remember the password.
In the usability test we researched other ways to log in without filling in a password. We tested the following ways to login: Magic link, SMS-code and QR-code and login trough an application.
We observed that there was no winner at the end. Some people preferred to login with SMS-code and other with QR-code, but that was mostly because they were familiar with these types of logins.
The magic link is a new method to login. You can see that users find it easy to login, but they can’t understand how this could be safe. It’s so simple but is it secure to use?
We have a lot of insights about people’s frustrations with filling in their password. Still we have a login success of 77% and that’s not bad considered we don’t have many users that login frequently.
Service
We conducted more research, because we asked ourselves ‘why are users asking for functionality, but ending up not using it?’. A scenario came to mind. When I go to the dentist they will do a check on your teeth. What do you see and use when you’re waiting for the appointment? You can get water, you can read a magazine, maybe you can see a video of their product and services. These are all things we see as a service from the dental practice. Those things do not affect the quality of the dentist appointment and it adds nothing to your teeth (except when they are serving coffee).
We conclude at this point that both of the functionalities won’t increase the success rate of login for our users, but it can add extra service when users want to log in.
Next?
The next step is to find out how we can offer login with e-mail and eventually provide multiple ways to login in for the user. Of course, without having to fill in that damn thing called password!
Sanne Kloot is a UX Designer from Rotterdam and works at the ANWB. She is responsible for the UX design of ‘Single Sign on’ and ‘Poncho, the ANWB Design System’.
