In the first article of this series, I discussed the outstanding user experience Universal Studios provides to its customers while maintaining an extremely secure, well-monitored amusement park. It is my use case that it’s possible for us, in the virtual world, to emulate them and improve our experience while maintaining security at the same time. Today, I’m going to discuss one of the most mind-boggling user experience issues in security: Updating Security Information. Providing a good user experience during the registration process isn’t enough. Security runs throughout your system, and a good user experience must be at every interaction with security. Below, I’ve listed some of the forgotten areas of security and user experience, and how they can be improved. Parent Accounts As discussed in the second article in this series, it’s become a common expectation to allow users to log into their account with a Facebook, Twitter, or Google account. When we allow users to do that, our work isn’t done at the login screen. There are alterations to other pages and interactions that have to be made. For example, when a user clicks on their account settings, their account view must represent someone who has logged in with a “parent account”, such as Facebook, Twitter, or Google. This could include removing the ability to edit the username or password since your site isn’t the owner of that information. Processes around security questions and account locking should also be re-evaluated. Additionally, if you will allow them to update their email address, you need to explain what it effects, and what it doesn’t. Provide a clear understanding to the user of what this arrangement entails. There’s no standard user experience or interaction for this activity. In fact, the ability to edit such information is often an oversight and attempts to change such information lead to undetailed errors or a system crash. Lost Usernames / Passwords When a user forgets their credentials, there is usually a number of hoops he/she has to jump through to recover their forgotten information. This could be as simple as entering an email address to recover the account or answering a series security questions that you’ve long forgotten. Although it’s important to maintain security, it’s also important that your user is able to log into your website. Make this process as easy and straightforward as possible. Many sites have a basic, yet secure, standardized behavior for these incidents:
- Enter your email address
- Receive an email that links to a username recovery page, or password reset form
- Once the form is filled out, return them to the login screen to enter their newly set credentials
- Creating and updating a password have two different experiences
- Data organization is completely different between account registration and account editing
- Account recovery’s look and experience is different from the rest of the site