Login persistence has to be one of my top three UX annoyances. I see it everywhere, on tons of sites, big and small. Login friction is a huge problem and yet so many get it wrong.
I have a couple of theories about why this is. Login persistence seems like a minor issue and it’s never URGENT so it never makes it up to the top of the list to get fixed. Also, there’s no real upside for a developer in reducing security. Setting the login cookie to expire in a year or never means someone *could* impersonate a user on a shared and/or public computer. OH NOES! They could add tons of comments to your TPR report generator site in someone else’s name! OH THE HORROR!
To add insult to injury is that damnable little “remember me” checkbox. Does it ever do anything? I’d like it if when I checked the box it would make the developer rip a really big windy at that moment. I digress… People are sad when you forget them. ALWAYS REMEMBER PEOPLE.
Amazon has sorted this out. They have millions of people’s credit card numbers. They are a giant retailer. Their risk is much higher than yours and yet, they let you put stuff in your cart, show you recommendations based on your personal information, and see the contents of your cart. It’s when you checkout that it triggers you to login. At that point, you have a very clear task to accomplish and are motivated.
How motivated are your users? I hope you’re providing a richer experience to users who are logged in. Yet users are only motivated to login when they have a specific task to accomplish that requires it.
Proposal for best practice is this: have users logins persist forever. If you have sensitive info such as ecommerce, reauth right before they access that info. To keep your pretty databases from filling up with random sessions, delete the cookie if a user hasn’t logged in after two or three months. That way even infrequent users will never have to reauthenticate.
We made this change on support.mozilla.com and it has been very well received.
What complexities do you think this would introduce?
17 comments
Planet Mozilla (@planetmozilla) says:
Aug 15, 2011
UX Best Practices: login persistence http://t.co/jJnn8Be
Cary says:
Aug 15, 2011
I can see where you’re coming from, but I actually *like* having the “remember me” option. I think it should be selected by default, but the option is nice to have: If I’m on a friend’s computer and I log in to some site to check a message or look something up, I don’t want it to remember my account… that’s not my computer. Furthermore, I’m not about to go rooting around in their cookies to purge my session’s login persistence info. Now, one might argue that I should simply make sure to log out before handing the computer back over. There are two problems I see with that: 1. People (read: *all* people) forget to log out (plus if there’s no “remember me” box, decades of conditioning have taught us that the site will not remember you). 2. From a UX perspective, logout is very rarely a pleasant ordeal and, like the “remember me” checkbox, it’s not a make-or-break feature from a designer’s point of view…. your logout functionality is not going to cost you any traffic. So there’s little incentive to give that feature much thought. The fewer people clicking logout on your site, the better… for a host of reasons.
TL;DR I can agree that “remember me” is good default functionality, but I think some users (like me) would really feel robbed if it was no longer optional.
Xavier Mouton-Dubosc (@dascritch) says:
Aug 16, 2011
Confort vs sécurité. Je suis pas sûr que Crystal Beasley de Mozilla a raison de supprimer la case "remember me" http://t.co/88nKks1
Ed says:
Aug 16, 2011
But Amazon is an example where Login details are needed last. What happens to Digg or Mozilla, when you need to vote on Bugs or news?
Having Remember Me is an option for those who use the site on Public Computer? No?
Jonathan Lupo UX (@userexperience) says:
Aug 16, 2011
UX Best Practices? I disagree. #login persistence
http://t.co/nSGLjzK
Zabisco (@Zabisco) says:
Aug 16, 2011
Worth reading… interesting & valid points RT: @userexperience UX Best Practices? I disagree. #login persistence http://t.co/opZ586Z
Tony Mechelynck says:
Aug 16, 2011
There is another sort of “Remember me” widget, which doesn’t use popups anymore nowadays (it used to), but doorhangers. It remembers me forever (if I decide that I want my password & username to be remembered on this computer). If even it does forget me (e.g. because I used a different browser or a different profile), I can even wait a few seconds or minutes, and only click “Remember me” after I see that I didn’t mistype the password. I’m not advocating its exclusive use to the exclusion of login cookies or whatever, but on computers like this one (where I’m almost the only user, and if by exception a visitor needs to access the Internet I log him/her in with a different login name), the Password Manager is a nice thing to have to bring up my password when, after a day, a month or a year (depending on which site I’m on) the login cookie expires.
And yes, when I’m not at home but on some public workstation, I need to make sure that once I go away my credentials are forgotten. Firefox (but not SeaMonkey and, I think, not Thunderbird) has “Private Browsing Mode”. Or I could triple-check that I log out before I leave the booth. And of course not check “Remember me” on this computer: I don’t want any random computer on the market place to remember my passwords when it’s out of my sight. But this is IMHO a case where redundancy is useful: belt and suspenders, you might say.
Crystal Beasley says:
Aug 16, 2011
I agree that on sites like Facebook, anything that has financial info, email providers, and such that have especially sensitive info there should still be a remember me option. Indeed most of them do have it. However, on the long tail, 98% of sites, there’s so little risk of
a) anyone else even using the same site as you, so how would they discover that you’re already logged in?
b) anyone caring to do malice on some random site
Most of us aren’t working on sites that fit into the sensitive info category, so we should reduce the user friction as much as possible.
Ed: I think you should be able to vote and comment without reauthenticating.
I’m hoping some others will chime in on what situations you’re specifically worried about.
Dave Dash (@dave_dash) says:
Aug 16, 2011
Logged in is forever…
http://t.co/TRMsFF7
#wontsomebodythinkabouttheuser
/via @skinny
Onward Search (@onwardsearch) says:
Aug 17, 2011
Funny little ready about #UX Best Practices – Login Persistence http://t.co/0EIpq0n via @skinny
Colleen Swanger (@cswanger) says:
Aug 17, 2011
UX Best Practices: login persistence – http://t.co/b5fZgXu
Danny Moules says:
Aug 18, 2011
“OH NOES! They could add tons of comments to your TPR report generator site in someone else’s name! OH THE HORROR!”
If there’s a login, there’s something worth protecting even if that’s just an identity. If it’s not worth protecting cut out the middleman and don’t waste time with a bespoke login at all.
Saying something is important enough to justify a login but not important enough to bother providing people with the option to keep that login secure makes no sense. It’s like handing someone a door key and then saying “but if you need to get in, you can always use the one hung on the wall there – don’t worry, only people in this flat are near to that wall and they’re all sound.”
“Amazon has sorted this out.”
Really? At my enterprise Amazon has almost single-handedly resulted in the banning of accessing e-commerce web sites in our contracts. The reason for that clause? Because the company doesn’t want to be liable if another employee comes along and buys something on my account. That doesn’t sound a success story to me.
“a) anyone else even using the same site as you, so how would they discover that you’re already logged in?”
History. Awesome bar. Watching over your shoulder. Behaviour patterns. Somebody looking to cause mischief is going to be-line straight for those. The opportunity is staring them in face.
“b) anyone caring to do malice on some random site”
You’re making security assumptions on the grounds that everyone is huggy and friendly? ‘Fraping’ is standard practice – it doesn’t take much imagination to see why somebody would think to sneak on your machine and, perhaps, do something ‘funny’ which happened to be malicious as well. It happens around me on a daily basis.
You may trust your colleagues and that random dude in the library not to think “hey, I can post some swear words on this guy’s work account and get him fired. That’d be funny” but I certainly don’t. I don’t appreciate you choosing to make that decision for me instead of giving me, as a user, the freedom to choose.
But thanks for the heads up: I now know support.mozilla.com should not be used on a public/work machine without taking extra precautions out of my way which damage my UX because I need to make behavioural exceptions for that site that I do not for any other as they all provide a consistent method of bypassing it: The “Remember Me” box.
Crystal Beasley says:
Aug 19, 2011
Using the locked door as the metaphor isn’t a very helpful for most sites. The useful metaphor is recognizing a friend’s face so you can call upon your history together to have a meaningful conversation.
I refuse to lock down sites to the nth degree because of malicious users for the same reason I don’t believe being forced to take of my shoes at the airport makes me any safer. It’s security as theater.
Users absolutely have the freedom to logout of any site at any time. Private browsing is always a good idea if you’re not on your own personal machine. Also, you’re not required to log into support.mozilla.com to use the majority of features.
The risks are almost equal in having the session never expire as having it expire in one day. Should users have to reauthenticate themselves every 30 minutes? Every 5? It’s just an absurd way to approach it.
Relying on sessions for real security will never be the solution.
Henrik Nyh (@henrik) says:
Aug 20, 2011
"People are sad when you forget them. ALWAYS REMEMBER PEOPLE." (http://t.co/qvKpwzM by @skinny)
Adam DuVander (@adamd) says:
Sep 18, 2011
@JamesChevalier A recent post from @skinny about login persistence. http://t.co/JJQF3QOQ
Jensen Samuels says:
Jan 5, 2012
@dannymoules – if you are THAT worried that someone will use your computer to buy something on Amazon, why are you leaving your computer unsecured? AND – if people around you are THAT nefarious, do you think they wouldn’t be able to find out your password? A cleverly hidden webcam, social engineering or even a key-logger can easily be used to get your password and then OH NOES – THEY’VE ORDERED FROM AMAZON! BTW – remind me to not go to work for your company. Their “use an atom bomb to kill a fly” way of doing things means I wouldn’t get along well with them. See, I just HATE stupid people.
Iza Bartosiewicz (@Mr0wka18) says:
Jan 15, 2012
#UX Best Practices: login persistence http://t.co/uf3a4jTi #webforms