![\"Proper](\"https:\/\/marvel7077.wpengine.com\/wp-content\/uploads\/2020\/02\/1O01aZXEvuCcodOc4IYcmyw.png\" "\\"Sign")
<\/a>Proper field grouping and field identification<\/p>\nFrom an HTML standpoint, clearly indicate the field in the input (through the autocomplete standard \u2014 see here<\/a>), to help the browsers autofill the information.<\/p>\n The rule should be to indicate the strength of the password, but if the password doesn\u2019t fall into the common category, don\u2019t stop the user from signing up. The rationale is simple \u2014 if they have to come up with a new password, they\u2019ll most likely forget it and the next time they want to login, they\u2019ll drop off.<\/p>\n The most hated of input forms are those that wait for you to fill up all your details and then show the errors in a list at the top of the form, during which time, the password you entered is gone (\u201csecurity\u201d).<\/p>\n Using errors which are human-friendly is a good way to ensure that people don\u2019t drop off.<\/p>\n Most inline form validation make the error of checking as I type. Here is the logic you should use:<\/p>\n This should stave off any ugliness with the validation.<\/p>\n Unless it is a business requirement, do not stop users from accessing their account just because they haven\u2019t clicked on the link you\u2019ve sent. This is especially true for eCommerce \u2014 there is no need for an eCommerce site to verify the email address. For online products, you can always restrict user-facing actions till an email is verified.<\/p>\n I\u2019ve found that services that offer 3\u20135 days to verify the email, tend to get a lot more drop offs. It is better to ask for verification after<\/em> the user has entered the portal and wants to take some action.<\/p>\n If a user enters an email that already exists in your database, don\u2019t just tell the user that the email exists. That\u2019s a dead-end. Provide the reason and actions, the user can take:<\/p>\n The sites that directly take the user to the login page are horrible! The user was expecting something like a thank you for signing up and they\u2019re faced with another form. Terrible experience!<\/p>\n If possible, try to do an inline verification of the email. It saves the user the trouble of entering the rest of the fields.<\/p>\n Security note<\/em>: I know that it is foolish to provide an API to the blackhatter to check which emails exist in your database, but if you are smart about it \u2014 using throttling or adding a device fingerprint layer to restrict the number of calls made, you are saving so many users the trouble of getting lost in the journey.<\/p>\n I don\u2019t know why there aren\u2019t more sites offering a single identity sign-on? For simple signups like eCommerce or product trials, the facebook\/twitter\/google sign ups are the easiest to do. Within these, however, there are sub-rules you should follow:<\/p>\n As simple as it sounds, a tab sometimes doesn\u2019t lead the user to the next field. That\u2019s the expected behaviour. Test your form and see if some link or input assistance tag gets highlighted. Use <\/a>tab-index<\/a> attribute to help you out.<\/p>\n Here are some additional suggestions depending on your systems and requirements:<\/p>\n . . .<\/p>\n So many sites do not<\/strong> apply email field validation (the standard regex one). Your system has the information that the email format is incorrect \u2014 indicate!<\/p>\n For a database lookup, it\u2019s a security gamble \u2014 the same security note from Rule 6 of Sign up applies.<\/p>\n If your user has entered the email and you\u2019ve told him that the combination is incorrect, she should not have to type the email again in the password reset field. If possible, make the transition quick and simple \u2014 hide the password field and change the button to say, \u201cReset your password\u201d after the user has clicked on that option.<\/p>\n If a user tries to enter the password more than once, offer to reset the password with a single click. Don\u2019t make them click on another button.<\/p>\n A system generated password adds a separate step in the reset password journey. The journey of reset password should be simple:<\/p>\n See how we jumped the login again with the password option? What are we trying to do with the login again step? Building muscle memory? Giving the autocomplete the opportunity to update the records? You have already verified the ownership of the account. You need not re-type the entire combination again!<\/p>\n This brings us to rule 13.<\/p>\n Majority of the users are now on some password manager or the other. Only a few choose to still remember their email\/password combination for the hundred-odd sites they use. The password managers have evolved to even sense a reset password to update their vaults.<\/p>\n If you have a mobile app, it would be ridiculous to force to use the complicated email\/password or SSO logins. Most devices have exposed their authentication options (like fingerprint ID or faceID) to let apps use that as the authentication logic. Here is how the flow should go:<\/p>\n Again, should be a norm. Standard rules in Rule 7 should apply, with the following extensions:<\/p>\n This isn\u2019t for sites that store tokens of credit cards, though it would be good if you enable it. This is for those sites that store money through credit\/wallet balance. Again, not all your users have credit\/wallet. Enforce the two-step authentication for those with something to lose. E.g. if I have just signed up and have no credit\/wallet balance, there is no need for me to have a two-step right away. Contextualize your enforcement policy.<\/p>\n On two-step, best combinations are:<\/p>\n The fastest in my experience is the email + push. It always<\/em> works. And keep it simple. Microsoft authenticator adds a really silly layer of choosing a particular number in a list of numbers. If I have access to both devices (the login device & the verification device), I just need to tap on the approve message. Don\u2019t make me solve a sudoku puzzle!<\/p>\n As the authentication journeys become complicated, fewer users will go down certain paths. Provide a way out if the user ends up in a loop. Give them the option to fall back to the old-faithful method of email\/password.<\/p>\n Unless your site holds sensitive information, allow persistent logins. This is especially true for eCommerce sites. Persistent logins allow the user to experience the site and the actions they\u2019ve taken. You are a UX criminal if you auto-logout users after a certain time. Sessions may expire, but let the users actions (like items added to cart) remain. You can restrict access to personal information with a password prompt, outside of session expiry. Amazon does this beautifully by keeping you partially logged in and asking for authentication only when you need to access personal information.<\/p>\n If you have a mobile app and you log me out after a day, shame on you. Mobile apps need to have permanent logins (standard exceptions apply). You can be assured that no public devices are used to login to the app.<\/p>\n . . .<\/p>\n Sometimes, you need to get the user to login to simplify the subsequent steps of the journey. We\u2019ll focus on eCommerce journeys of checkout, check order status and abandoned cart. But, before that, if you have a mobile app, make sure that all links from emails\/SMS are deep-linked. I don\u2019t want to experience a silly browser journey on a mobile device that has an app with me logged-in.<\/p>\n During the checkout journey, the first step is usually the part where the user logs-in or provides an email. Visually prioritize the guest checkout option. The flow can be (for a non-logged in user with account):<\/p>\n Note: There is no forgot password. User basically goes through with it or continues.<\/p>\n 4. If the login attempts are unsuccessful, politely inform the user to not worry and that you\u2019ll tie the transaction to their account (and do it!). They have to be brought back smoothly \u2014 make sure the user <\/em>closes the modal on their own. If you close the modal, on behalf of the user, that\u2019ll piss them off.<\/p>\n Imagine if you were at the grocers, at the checkout line and when you provided your loyalty card, the cashier added 4 more items to your bill that you added to your basket the last time you were there? Wouldn\u2019t you hate it?<\/p>\n Merging session is fine when the user logs in before jumping into the checkout journey. Then again, you shouldn\u2019t just merge \u2014 identify them separately in the cart and ask if the user wants to add them to the new cart they have & give an option to \u2018Save for later\u2019. Your objective is to reduce the number of decisions the customer has to make before going into the checkout journey.<\/p>\n If you find that there are items in the users previous cart during the checkout flow, display them on the thank you page, with a simple message \u2014 \u201cyou had these items in your previous cart, do you want to buy them now?\u201d. At that point, add those items to the new cart and take them straight to the review page \u2014 where their previous choices (like shipping address, payment type has been selected) and the basket total is shown. They should be able to select the items they want to buy and save for later. Simplify the journey.<\/p>\n If a user doesn\u2019t have an account, it\u2019s best to ask them to create a password for their account on the Order Confirmation\/Thank you page. Don\u2019t ask for repeated information. You already have all the information you need to create the account. Just the password is missing.<\/p>\n There should be two ways a user can check their order status:<\/p>\n Additional information about the order can be kept behind a login prompt. Make sure that after login, the user goes the page that they were intending to go to\u2026<\/p>\n Abandoned cart flows are complicated \u2014 user accessing the link from a browser that they\u2019re already logged-in, or session recreation using SSID in the URL \u2014 things get really complicated from a technical standpoint.<\/p>\n Simplify the Abandoned Cart journey by focusing on one product and get the user to transact that item. If they have items in the cart, show those as additional products they can add. Remember to contextualize your user journeys.<\/p>\n . . .<\/p>\n Most users have come to expect the above as a given. As product managers, we have constraints on the technological wiggle room we get to implement these, but I can assure you, implementing these changes will give your site\/app a UX boost and increase your conversion. Try A\/B on most of these rules and see how your users react.<\/p>\n Thank you for reading!<\/p>\n Originally posted on Rameez's Medium<\/a> page.<\/p>\n Sign-up and sign in journeys have been there ever since the transactional eCommerce begin. But, after 20 years, we still tend to get that wrong. Most of the time, these are dictated by the platform of choice or the UX preference. Debates rage on, in the interweb, on whether a decision by an organization is correct, user friendly and complies… Read More →<\/a><\/p>\n","protected":false},"author":323,"featured_media":19314,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[499],"tags":[],"class_list":["post-19291","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ux"],"acf":[],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\n\n\t\n3. Indicate password policy, but only stop the common ones<\/h3>\n
4. Implement inline field validation & indicate errors onFocusOut<\/h3>\n
![\"\"](\"https:\/\/marvel7077.wpengine.com\/wp-content\/uploads\/2020\/02\/0dL3LIxIax8ItE8ro.png\" "\\"\\"")
<\/a><\/p>\n\n
5. Don\u2019t block access to the account for unverified email<\/h3>\n
6. Don\u2019t just indicate that an account exists with the email \u2014 give options<\/h3>\n
![\"Give](\"https:\/\/marvel7077.wpengine.com\/wp-content\/uploads\/2020\/02\/1SsbNkY1FVXpTBUP3Hloh2Q.png\" "\\"Sign-up")
<\/a>Give users an out for every error they get!<\/p>\n7. Social logins should be the norm!<\/h3>\n
\n
\n<\/strong>Don\u2019t put a sign up with Linkedin on a transactional site. If your region has a popular SSO authority, like WeChat, provide that as an option.<\/li>\n
\n<\/strong>If possible, prioritize the most popular sign-up method. Or push your most prefered method.<\/li>\n
\n<\/strong>If a user signed up using email or some other SSO and is trying to SSO with another, accept it and allow the user to login (as long as the emails match).<\/li>\n
\n<\/strong>If a user sign up using a SSO, and<\/strong> is trying to sign up again through email, indicate the SSO used. In rule 6, we saw the option of reset password or login \u2014 additionally, a message that says, \u201cYou logged in using Facebook\u201d is a good way to remind the user.<\/li>\n
\n<\/strong>It is best to indicate that you\u2019ll use the SSO to only authorize the account and take only the required fields. And not post anything.<\/li>\n<\/ol>\n8. A tab key press should to go to the next field<\/h3>\n
\n
\nI\u2019m looking at you, sites with usernames. Sure, I like the username \u201cThorButOaks69\u201d today, but would I remember it, with its myriad combination of uppercase, lowercase and numbers? I remember my email, but not the username. Allow me to choose the username after I log in!<\/li>\n
\nHere is what your welcome mail should contain \u2014 information about the site they\u2019ve signed up to, what they can do with the account and what awaits them in the future. If possible, add an email verification link just to keep your CRM team happy.<\/li>\n<\/ul>\nRules for Sign-In<\/h2>\n
9. Apply inline validation for the email field<\/h3>\n
10. Reset password should carry the email into the new form<\/h3>\n
![\"Smooth](\"https:\/\/marvel7077.wpengine.com\/wp-content\/uploads\/2020\/02\/1Z1sf3pYt5HMuCe3T5c1grg.gif\" "\\"Sign-In")
<\/a>Smooth transition with email persisting<\/p>\n11. Offer password reset on the third try<\/h3>\n
![\"\"](\"https:\/\/marvel7077.wpengine.com\/wp-content\/uploads\/2020\/02\/1bY84zradwye_EzkOD8r3Hg.png\" "\\"Sign-In")
<\/a><\/p>\n12. Send a password reset link and not a system generated password<\/h3>\n
\n
13. Allow the password managers to capture the users login credentials, if the user wants<\/h3>\n
14. On mobile apps, allow users to use their on-device authentication to login<\/h3>\n
\n
15. SSO as a sign-in option<\/h3>\n
\n
16. Two-step authentication should be a norm for sites that contain sensitive and payment information<\/h3>\n
\n
17. Understand the user's cognitive load for deeper journeys and design \u2018outs\u2019 for errors<\/h3>\n
18. Persistent logins should be the norm for non-sensitive sites<\/h3>\n
Rules for In-Journey Sign-Ins<\/h2>\n
19. Don\u2019t force the user to log in when, without login, the user can complete the journey<\/h3>\n
\n
\nNote \u2014 we\u2019re not showing the message on the same step. The user expectation is to move forward \u2014 meet it.<\/em><\/li>\n![\"\"](\"https:\/\/marvel7077.wpengine.com\/wp-content\/uploads\/2020\/02\/14g_oZfrSCKNRPuTk2AizYg.png\" "\\"in")
<\/a>Order of options in an in-journey sign in modal<\/p>\n20.Upon login, if the user has items from a previous session, OVERWRITE IT!<\/h3>\n
21. Prompt account creation after the primary journey has been completed<\/h3>\n
22. Order status links should not ask for logins<\/h3>\n
\n
23. Abandoned Carts links should not prompt for login<\/h3>\n
Further reading:<\/h3>\n
\n