“Nice! I get to click the forgot username/password button!” (Said no one ever.)
Like mosquitos, or burning your tongue on microwave pizza, or stepping in gum, the typical account recovery experience is universally hated. But despite our best efforts, we seem unable to avoid it.
According to a 2022 rundown, on average we’ve each got 100 passwords and 53% of us rely entirely on our memory to keep them straight. No big surprise, then, when we’re forced – once again – to jump through the account recovery hoops: answering security questions, waiting on email or text codes, or listening to Kenny G in the help desk queue.
But why is it on us – the user, the consumer, the customer – to do so much password management anyway? If the brands whose apps and websites we use really loved us, wouldn’t they just make it go away?
The answer (IMO) is that they absolutely would … if they knew how.
The knee jerk explanation for why customers wind up recovering passwords so often is that we’re forgetful or lazy or just not very tech savvy. We forget our usernames. We forget our passwords. We don’t use password managers.
But the real reason is poor design.
If you’ve coded your own sign-in experiences, the account recovery process can often be an afterthought. If on the other hand you’re using a customer identity and access management (CIAM) technology, the account recovery features that came with it may be rigid and not so customer friendly. Either way, once you’ve picked a road to go down, it’s easy to get focused on cooler, shinier things than the password reset button. Marshaling the resources to improve your account recovery process can be a struggle.
While a frustrating account recovery process can be a pain in the neck for customers, it also has a direct impact on your own bottom line. Let’s count the ways:
Clearly, getting account recovery right is worth it – both for you and your customers.
Here are 4 tips that’ll help you avoid account reset risks and reap the benefits of customer-friendly account recovery:
Believe it or not, there are still sites and apps that force their customers to call the help desk to reset their username or password. It’s expensive and massively annoying for your customers, and it makes you vulnerable to sweet-talking attackers who can fool your well-intentioned customer support rep into giving them access to a customer’s account.
Customer support should be the last resort. So move that process online – like, ASAP – by building one yourself or investing in a CIAM solution to help you.
While letting folks pick their own user names can seem like a customer friendly thing to do, it also increases the likelihood they’ll forget them. Chances are their preferred option is already taken and they’ll have to think up a new (and less memorable) username on the spot.
Unless you have a specific business reason, it’s best to require usernames to be something unique that your customer has already memorized – like an email address or cell phone number.
It’s also best to display the username on a separate page from the password (more on in a future post). That said, you may have some customers who still share email accounts or don’t own a smartphone. If so, you’ll have to offer an alternative.
Edge cases aside, user-created usernames are a sure fire way to drive your customers into the account recovery loop more frequently.
Thankfully, we’re seeing this one less and less. It used to be that brands in high-risk industries like finance or healthcare would set aggressive password policies that forced customers to change their password on a regular cadence. Like the user-created username (see #2 above), it may seem like changing passwords is in everyone’s interest. However, when your customer is constantly changing their password, it also increases the likelihood they’re going to forget it.
A more modern and customer-friendly approach is to compare your customer’s credentials against a database of known-stolen passwords every time they try to sign in. If that password has been stolen somewhere along the line, then it’s time to ask your customer to change it. If not, they can keep rolling with what they have.
Your engineering team can roll their own integration with breached password providers, or you use a CIAM tool that has breached password verification built in.
Yes, it’s possible. And, no, it doesn’t mean anyone can log into your account.
You see, over the last 10 years or so, the FIDO Alliance has made tremendous strides – along with device manufacturers – to mainstream the use of biometrics. You probably know it as Face ID or logging in with your fingerprint, and it’s gradually reducing the world’s reliance on passwords to authenticate users.
The reason FIDO protocols can help eliminate passwords is that they use standard public key cryptography techniques to provide stronger authentication than a typical username and password.
So if you don’t already use some sort of biometric authentication, it’s time to get it on your roadmap. And stay tuned for our upcoming blog on going passwordless.
Optimizing account recovery doesn’t just mean making it easier. It means making it vanishingly rare – or better yet, entirely unnecessary.
I’ll go out on a limb and say that in a perfect world, a customer would NEVER have to recover their username or password. The entire process would be managed behind the scenes without any friction for the user – securely, rapidly, and forgettably.
If you suspect your own account recovery experience is frustrating your customers, drop us a line. We’ve got a solution that does all three—and that has never once been compared to mosquitos.
Subscribe and never miss out on our blog posts and latest news.
Subscribe and never miss out on our blog posts and latest news.