.svg)
4 tips for building a customer-friendly account recovery process
βNice! I get to click the forgot username/password button!β (Said no one ever.)
Like mosquitos, or burning your tongue on microwave pizza, or stepping in gum, the typical account recovery experience is universally hated. But despite our best efforts, we seem unable to avoid it.Β
According to a 2022 rundown, on average weβve each got 100 passwords and 53% of us rely entirely on our memory to keep them straight. No big surprise, then, when weβre forced β once again βΒ to jump through the account recovery hoops: answering security questions, waiting on email or text codes, or listening to Kenny G in the help desk queue.Β
But why is it on us β the user, the consumer, the customer β to do so much password management anyway? If the brands whose apps and websites we use really loved us, wouldnβt they just make it go away?
The answer (IMO) is that they absolutely would β¦ if they knew how.
Why account recovery goes wrong
The knee jerk explanation for why customers wind up recovering passwords so often is that weβre forgetful or lazy or just not very tech savvy. We forget our usernames. We forget our passwords. We donβt use password managers.
But the real reason is poor design.Β
If youβve coded your own sign-in experiences, the account recovery process can often be an afterthought. If on the other hand youβre using a customer identity and access management (CIAM) technology, the account recovery features that came with it may be rigid and not so customer friendly. Either way, once youβve picked a road to go down, itβs easy to get focused on cooler, shinier things than the password reset button. Marshaling the resources to improve your account recovery process can be a struggle.
The unintended costs of poor account recovery processes
While a frustrating account recovery process can be a pain in the neck for customers, it also has a direct impact on your own bottom line. Letβs count the ways:
- Lost revenue β Ever tried to order a burrito on your way home only to realize you forgot your password? If you canβt reset that password at a stop light, youβll probably pick a different dinner option. Fewer burritos means less revenue today β¦ and likely next week too.
- Fewer customer insights β Sometimes itβs actually easier to create a new account than to recover your existing one. When that happens, the marketing team loses that customerβs history because itβs spread across multiple orphan accounts. Fewer insights means less personalized service. And bad data can lead to wrong conclusions.
- Increased costs β When the account recovery process goes fully off the rails, customers start overloading the help desk with account recovery calls. Paying that help desk staff is a very tangible cost.
- Compromised security βΒ The account recovery button is a favorite first stop for most attackers. Thatβs because your customersβ accounts are only as secure as your account recovery process. A slipshod recovery process creates a ripe opportunity for account takeover (ATO). Also, if youβve got a help desk, that can further increase your vulnerability to social engineering.
4 ways to make account recovery better for your customers
Clearly, getting account recovery right is worth it β both for you and your customers.Β
Here are 4 tips thatβll help you avoid account reset risks and reap the benefits of customer-friendly account recovery:
1. Make account recovery a self-service task
Believe it or not, there are still sites and apps that force their customers to call the help desk to reset their username or password. Itβs expensive and massively annoying for your customers, and it makes you vulnerable to sweet-talking attackers who can fool your well-intentioned customer support rep into giving them access to a customerβs account.
Customer support should be the last resort. So move that process online β like, ASAP β by building one yourself or investing in a CIAM solution to help you.
2. Donβt force (or allow) users to create custom usernames
While letting folks pick their own user names can seem like a customer friendly thing to do, it also increases the likelihood theyβll forget them. Chances are their preferred option is already taken and theyβll have to think up a new (and less memorable) username on the spot.Β
Unless you have a specific business reason, itβs best to require usernames to be something unique that your customer has already memorized β like an email address or cell phone number.Β
Itβs also best to display the username on a separate page from the password (more on in a future post). That said, you may have some customers who still share email accounts or donβt own a smartphone. If so, youβll have to offer an alternative.Β
Edge cases aside, user-created usernames are a sure fire way to drive your customers into the account recovery loop more frequently.
3. Donβt force people to change passwords as a routine safeguardΒ
Thankfully, weβre seeing this one less and less. It used to be that brands in high-risk industries like finance or healthcare would set aggressive password policies that forced customers to change their password on a regular cadence. Like the user-created username (see #2 above), it may seem like changing passwords is in everyoneβs interest. However, when your customer is constantly changing their password, it also increases the likelihood theyβre going to forget it.
A more modern and customer-friendly approach is to compare your customerβs credentials against a database of known-stolen passwords every time they try to sign in. If that password has been stolen somewhere along the line, then itβs time to ask your customer to change it. If not, they can keep rolling with what they have.
Your engineering team can roll their own integration with breached password providers, or you use a CIAM tool that has breached password verification built in.
4. Eliminate passwords entirelyΒ
Yes, itβs possible. And, no, it doesnβt mean anyone can log into your account.Β
You see, over the last 10 years or so, the FIDO Alliance has made tremendous strides β along with device manufacturers β to mainstream the use of biometrics. You probably know it as Face ID or logging in with your fingerprint, and itβs gradually reducing the worldβs reliance on passwords to authenticate users.Β
The reason FIDO protocols can help eliminate passwords is that they use standard public key cryptography techniques to provide stronger authentication than a typical username and password.Β
So if you donβt already use some sort of biometric authentication, itβs time to get it on your roadmap. And stay tuned for our upcoming blog on going passwordless.
.png)
β
The best account recovery process is the one you donβt notice
Optimizing account recovery doesnβt just mean making it easier. It means making it vanishingly rare β or better yet, entirely unnecessary.Β
Iβll go out on a limb and say that in a perfect world, a customer would NEVER have to recover their username or password. The entire process would be managed behind the scenes without any friction for the user β securely, rapidly, and forgettably.
If you suspect your own account recovery experience is frustrating your customers, drop us a line. Weβve got a solution that does all threeβand that has never once been compared to mosquitos.
