In the first article of this series, I discussed the outstanding user experience Universal Studios provides to its customers while maintaining an extremely secure, well-monitored amusement park. It is my use case that it’s possible for us, in the virtual world, to improve our experience and maintain security. Today, I’m going to discuss one of the most frustrating user experiences in security: Lack of User Feedback. User feedback has become a focus of so many new web features. We even have detailed information about our email subscriptions: what mailing lists we are on, what it provides, and how often that subscription is sent. Yet, we continue to keep the user feedback of security uncommunicated. When logging into a site, these four items must be communicated to a user:
- While entering a password, warn the user if their caps lock key is active, in a non-intrusive way.
- After the user enters their username, check if your system can identify them. If they don’t exist in the system, let the user know that their account couldn’t be found. They could have a typo, or need to register for an account.
- After a user enters their password, check to make sure the password meets the rules and restrictions. If these restrictions aren’t met, let the user know that the password can’t be correct because it doesn’t mean all of the restrictions. Then, list the restrictions. This additional information could jog the user’s memory of what their password is, or is missing.
- If failed attempts at logging into your site will lock the user out of their account, let them know. Tell them how many more attempts they have before the account is locked. In addition to this, tell the user what is required to unlock the account. Their behavior might be different if unlocking their account requires calling customer service M-F, 8am-5pm.