“Nice! I get to click the forgot username/password button!” (Said no one ever.)
Like mosquitos, or burning your tongue on microwave pizza, or stepping in gum, the typical account recovery experience is universally hated. But despite our best efforts, we seem unable to avoid it.
According to a 2022 rundown, on average we’ve each got 100 passwords and 53% of us rely entirely on our memory to keep them straight. No big surprise, then, when we’re forced – once again – to jump through the account recovery hoops: answering security questions, waiting on email or text codes, or listening to Kenny G in the help desk queue.
But why is it on us – the user, the consumer, the customer – to do so much password management anyway? If the brands whose apps and websites we use really loved us, wouldn’t they just make it go away?
The answer (IMO) is that they absolutely would … if they knew how.
Why account recovery goes wrong
The knee jerk explanation for why customers wind up recovering passwords so often is that we’re forgetful or lazy or just not very tech savvy. We forget our usernames. We forget our passwords. We don’t use password managers.
But the real reason is poor design.
If you’ve coded your own sign-in experiences, the account recovery process can often be an afterthought. If on the other hand you’re using a customer identity and access management (CIAM) technology, the account recovery features that came with it may be rigid and not so customer friendly. Either way, once you’ve picked a road to go down, it’s easy to get focused on cooler, shinier things than the password reset button. Marshaling the resources to improve your account recovery process can be a struggle.
The unintended costs of poor account recovery processes
While a frustrating account recovery process can be a pain in the neck for customers, it also has a direct impact on your own bottom line. Let’s count the ways:
- Lost revenue – Ever tried to order a burrito on your way home only to realize you forgot your password? If you can’t reset that password at a stop light, you’ll probably pick a different dinner option. Fewer burritos means less revenue today … and likely next week too.
- Fewer customer insights – Sometimes it’s actually easier to create a new account than to recover your existing one. When that happens, the marketing team loses that customer’s history because it’s spread across multiple orphan accounts. Fewer insights means less personalized service. And bad data can lead to wrong conclusions.
- Increased costs – When the account recovery process goes fully off the rails, customers start overloading the help desk with account recovery calls. Paying that help desk staff is a very tangible cost.
- Compromised security – The account recovery button is a favorite first stop for most attackers. That’s because your customers’ accounts are only as secure as your account recovery process. A slipshod recovery process creates a ripe opportunity for account takeover (ATO). Also, if you’ve got a help desk, that can further increase your vulnerability to social engineering.
4 ways to make account recovery better for your customers
Clearly, getting account recovery right is worth it – both for you and your customers.
Here are 4 tips that’ll help you avoid account reset risks and reap the benefits of customer-friendly account recovery:
1. Make account recovery a self-service task
Believe it or not, there are still sites and apps that force their customers to call the help desk to reset their username or password. It’s expensive and massively annoying for your customers, and it makes you vulnerable to sweet-talking attackers who can fool your well-intentioned customer support rep into giving them access to a customer’s account.
Customer support should be the last resort. So move that process online – like, ASAP – by building one yourself or investing in a CIAM solution to help you.
2. Don’t force (or allow) users to create custom usernames
While letting folks pick their own user names can seem like a customer friendly thing to do, it also increases the likelihood they’ll forget them. Chances are their preferred option is already taken and they’ll have to think up a new (and less memorable) username on the spot.
Unless you have a specific business reason, it’s best to require usernames to be something unique that your customer has already memorized – like an email address or cell phone number.
It’s also best to display the username on a separate page from the password (more on in a future post). That said, you may have some customers who still share email accounts or don’t own a smartphone. If so, you’ll have to offer an alternative.
Edge cases aside, user-created usernames are a sure fire way to drive your customers into the account recovery loop more frequently.
3. Don’t force people to change passwords as a routine safeguard
Thankfully, we’re seeing this one less and less. It used to be that brands in high-risk industries like finance or healthcare would set aggressive password policies that forced customers to change their password on a regular cadence. Like the user-created username (see #2 above), it may seem like changing passwords is in everyone’s interest. However, when your customer is constantly changing their password, it also increases the likelihood they’re going to forget it.
A more modern and customer-friendly approach is to compare your customer’s credentials against a database of known-stolen passwords every time they try to sign in. If that password has been stolen somewhere along the line, then it’s time to ask your customer to change it. If not, they can keep rolling with what they have.
Your engineering team can roll their own integration with breached password providers, or you use a CIAM tool that has breached password verification built in.
4. Eliminate passwords entirely
Yes, it’s possible. And, no, it doesn’t mean anyone can log into your account.
You see, over the last 10 years or so, the FIDO Alliance has made tremendous strides – along with device manufacturers – to mainstream the use of biometrics. You probably know it as Face ID or logging in with your fingerprint, and it’s gradually reducing the world’s reliance on passwords to authenticate users.
The reason FIDO protocols can help eliminate passwords is that they use standard public key cryptography techniques to provide stronger authentication than a typical username and password.
So if you don’t already use some sort of biometric authentication, it’s time to get it on your roadmap. And stay tuned for our upcoming blog on going passwordless.
The best account recovery process is the one you don’t notice
Optimizing account recovery doesn’t just mean making it easier. It means making it vanishingly rare – or better yet, entirely unnecessary.
I’ll go out on a limb and say that in a perfect world, a customer would NEVER have to recover their username or password. The entire process would be managed behind the scenes without any friction for the user – securely, rapidly, and forgettably.
If you suspect your own account recovery experience is frustrating your customers, drop us a line. We’ve got a solution that does all three—and that has never once been compared to mosquitos.