A few days ago, I tried to log into my alternate Facebook account, one I hadn’t logged into for a while. After the first or second failed attempt at logging in (I couldn’t remember the password), my mail client rang and I saw the following email from Facebook:
This struck me as a fantastic touch and a great usability boost. It also made me think about the usual login flow in sites, and I realized that email is, in my opinion, being underutilized in the login process. There’s really no reason we shouldn’t assume that a user has forgotten their password after three (or so) failed attempts, and proactively send them a password reset email or, even better, an instant login link.
Instead, most sites are forcing users through a time-consuming password reset process, usually making them re-enter their email address in the “forgot my password” box, even though the user has already offered it multiple times. The usability of the typical login workflow is really rather bad, and almost nobody takes the obvious steps to improve it.
Experimenting even further with this, I tried a different way of authenticating with YourPane, a small project I wrote when I wanted to easily share links with specific friends. YourPane doesn’t use a username and password combination at all. Instead, you enter your email in the box, and it sends you an instant login URL (which you can save and use whenever you like).
That experiment has not been a tremendous success, as people expect the usual username/password boxes, or some sort of “connect with X” button. This doesn’t mean that we can’t ensure that the users’ lives are made easier by anticipating and acting on some common scenarios, though. For example, most services that require email verification of the email address don’t log you in automatically after you’ve clicked on the verification link, making you do the (useless) extra step.
The time when we were afraid of storing state for trivial things (such as the number of failed login attempts per user) because of performance considerations is long gone. We have redis now, and it’s trivial to store that information for any number of users, as well as make it automatically expire after a few minutes.
I would like to see this behavior become the standard in authentication workflows, as well as some sort of “instant login” that the user can request to log in that one time. There are many services many of us use infrequently enough that going through the trouble of resetting the password isn’t really worth it, especially since most services usually make you log in right after you reset your password!
Unfortunately, these patterns are so entrenched and ubiquitous that it’s hard to see that they could be improved, even when a few things are obvious, when you know to look for them. We should challenge our standard workflows and look for ways to make them easier to use, even if we’re doing it the way everyone else is.