If you’re in fashion, retro can be a good thing. For car collectors, the word vintage adds value. But when a website asks for your password, a form or an experience with that yesteryear kinda feel can instantly sap your sense of trust.
To help you guard against a login feature faux pas, we pulled together a checklist of questions so you can see how your website stacks up against modern sign-in processes.
There are five big areas you want to look at.
1. How modern is the overall experience?
Before you pop the hood and start looking at the engine, zoom out and assess the big picture. Examine things that span the entire customer sign-in journey by asking these questions:
How many sign-in buttons do you have on your site?
Spoiler alert. If you’ve got more than one, you’ve got too many. It’s still common for sites to have multiple sign-in options for different brands or to have one for customers and another for partners. But best practice is to keep it as simple as possible and offer one sign-in option for everyone. Then, once your customer enters their username, send them down the right path.
Are you serving up a mobile app-first experience?
A growing percentage of online shoppers prefer smartphones over desktops, especially in certain age and income demographics. So if you’re not making it easy to complete every step in the customer journey on a mobile device – especially enabling biometrics (aka FaceID and TouchID) – it’s time to modernize.
Are your password requirements right-sized?
Does your site impose old school, workforce-driven policies like forcing customers to change passwords every 90 days or demanding crazy-long passwords? If so, you may be defeating the intended purpose.
For one thing, onerous requirements like this aren’t more secure. They just create more friction. Worse, they can drive customers to bad behaviors like reusing passwords from other sites.
A modern approach prompts password changes only when your regular sweeps flag a breached password, and keeps password length to 10-15 characters.
Have you split the username and password screens?
If you require customers to enter all their info on one screen, you’re missing an opportunity … actually you’re missing five opportunities to deliver a better AND more secure experience.
Now that you have a sense of how your site looks from 30,000 feet, let’s dive into the four major parts of the sign-in journey, starting with how your customers register and create new accounts.
2. How modern is the customer registration process?
It’s the moment of truth. When a new customer clicks the “create account” button, what percentage gets through the process? How many get started but abandon the effort depends on their perception of how hard it is and whether it’s worth the hassle. Here are some questions to figure out if you’re using best practices.
Do you allow social login?
Like other registration options that don’t rely on passwords, social login eliminates friction and beefs up security – chiefly because a password that doesn’t exist can’t be hacked or stolen. Done right, social login comes with other benefits for brands, too.
Do your forms have unnecessary fields?
Like beauty, “unnecessary” lies in the eye of the beholder. If users feel burdened by your forms – especially if you ask them to provide the same info more than once – you’ll see drop-off in your flows. Think like a customer and minimize the number of fields you collect up front.
You can always ask your customers for more info the next time they log in. For now, just help them get that new account created.
Do your sign-up forms look like they belong to your brand?
We’ve all had that whiplash moment when you click the “register” button and it sends you to a screen that looks completely different. Trained to sniff out phishy schemes, customers often abandon the process when they get that “I’m not in Kansas anymore” feeling. Even so, this suboptimal practice isn’t uncommon because many third-party CIAM systems vary in their ability to reflect the look and feel of your brand’s website.
For a smooth experience that reinforces a sense of security and trustworthiness, make sure every form looks like it belongs on your site.
Do you support password managers?
Until passwordless everything is a reality, your security-conscious customers – 30% globally, according to the latest World Password Day Survey – will keep relying on password managers. So make sure your forms accept copy/paste and allow autocompletion of addresses and other info stored in password manager apps. If you don’t, your customers may revert to reused or easier-to-hack passwords. Or worse, they could click over to a competitor.
Are there dead-ends in your registration process?
When my 401K moved and I went to the new bank’s website to register, I only saw options for new accounts, not migrated ones. After a few clicks, I lost patience and called customer service. Ugh.
A modern registration experience guides the user into the appropriate flow and never leaves them hanging (or fumbling for their phones to call your help desk).
3. How modern is your authentication process?
Now that we’ve taken a look at the account creation process, let’s look at something your customers do a lot more often – signing into their accounts.
Do you automatically transition a new customer from registration to authentication?
It’s funny how many brands don’t do this. Each of their newly converted customers, who literally JUST entered all their information and clicked submit, get routed not to a screen that lets them browse or engage…but to a login screen. Where they have to do it all over again.
The transition from reg to auth is an excellent place to eliminate friction for the new customer. They’ve knocked on your door and introduced themselves. Let them in already!
Do you ask your customers to create challenge questions?
What was the name of your first pet? What was the name of your high school mascot? If you’re asking customers to create these sorts of questions, I’ve got news for you: 2002 called and it wants its login experience back.
Seriously, though, newer options like multi-factor authentication (MFA), Face ID and Touch ID make these questions obsolete. Speaking of which …
Do you allow users to use passwordless MFA (without forcing it)?
For customers who’ve adopted a Face ID/Touch ID digital lifestyle, passwordless is just the way they roll. Security-minded users understand the value of MFA. They don’t want it forced – say, before they’ve decided to make a purchase – but they absolutely want the option to authenticate this way.
Kudos if you’re letting your customers take full advantage of biometrics available on their devices so they can sign in the same way they unlock their phones. You also get full marks if you can send customers a single-use passcode so they never have to create a password for your site.
4. How modern is your account maintenance flow?
News flash! Calling your 1-800 number to update their account isn’t on your customer’s bucket list. How easy do you make it for customers to manage their own accounts online (or get an alert if someone is doing it when they shouldn’t be)?
Can your customer update their account info?
Go to the “account info” section after you sign in. What fields can your customers update? Hopefully the answer is: a lot. If so, when customers update their info does it update your customer databases like your CRM or CDP? If the answer is also “yes” you’re in good shape. If not, ask “why?”
Do you alert customers for every account change?
Initial registration, password resets, MFA attempts, new devices logging in. Anytime something new happens or account info changes, the best practice is to send your customer a notification. This enlists your customer in detecting fraud and – when the changes are legit – it builds trust and confidence in your site.
Is account recovery self-service?
In a perfect world of modern online transactions, no customer would ever forget a username or password. Until that world arrives (and we’re working toward it every day), customers need simple tools to reset their passwords. If your customer service team is fielding lots of password calls, there’s probably an opportunity to step up your game. (And if so, here are 4 tips for moving your account recovery process online).
5. How modern is your consent management?
Last but not least, take a look at how you manage customer consents. These days customers expect (and many privacy regulations require) that customers have control over what information companies have and how they use it. Here are a couple quick questions to see where you stand.
Are all your consents implicit?
At any point in the journey, you may need to ask your customer to accept terms and conditions, verify their age, agree to receive marketing emails, or otherwise consent to something. Lots of brands treat all consents the same, often with fine print that says, “by using this site you agree to everything we want you to.”
Forcing customers to agree isn’t exactly a great way to start a long and trusting relationship.
In a post-GDPR world, consent management is tricky. So tricky that we wrote a whole beginner’s guide and chased it with 5 questions to help make sure that your legal team AND your customers will be happy with your consent flows.
Can customers revoke consents?
In short, if you collect consents up front but users can’t change them afterwards, you’re out of date. Full stop.
If keeping up with all this sounds like a full-time job, that’s because it is. (One we happen to love.)