Friday, 30 December 2011

The Scourge of Unnecessary Usernames

The signup process for a website needs to be as smooth as possible. You’ve got a user to the point where they’re about to sign up. You've mastered the art of lazy registration. Every field you add in a signup form is one more reason for user abandonment. So why is it that many sites still prompt you for a username as well as an email address when signing up?

We've all been there. I guess most of us have a standard username we like to use in these situations. john, oh it’s gone, lets try johndoe, nope that’s gone too, john2148 it is then. Will be sure to remember that one next time round.

In most cases there's no need to force users to come up with a username, since there’s already a unique identifier they've already memorised - their email address. Chances are you’re going to ask them for this anyway.

The only reason to ask for a username in addition to an email address is if you plan to publicly display this on your site (e.g on a forum). Here it makes some sense, but even this could be accomplished by using the email address for login and allowing the username to be an alias (unique and unchangeable if necessary).

It’s possible that people may want to have multiple accounts, but for most applications this is unlikely or even undesirable. In cases where people e.g. need a work account and a personal account, they’ll probably have corresponding emails.

One other option is doing away with passwords altogether, especially where the site is one that will be used rarely (e.g. travel insurance). In cases like this you could just request an email address when users want to login and send them a link which allows one-off access to a time-limited session. If your password reset procedure only requires access to the user’s email address then you lose no security by doing this.

Of course, if you do away with usernames, you need to think about how to deal with people that have lost access to their email addresses (e.g. if they used a work address for a personal service). But depending on the size of your userbase, this may happen infrequently enough that you can handle it manually.

The other increasingly popular mechanism is to allow people to login with a 3rd party service like their Facebook or Twitter account. This is a great idea, especially if you want to encourage people to use their real identities, but in most cases you’ll still need to offer the option of a local login to avoid losing users that don’t have or are unwilling to use such services.

So please, let's just do away with unnecessary usernames.

No comments:

Post a Comment