When to Ask Them to Authenticate

19 Aug 2010 - 11:13am
6 years ago
2 replies
1029 reads
Erica Osher

Hey everyone!

Would love to hear your thoughts on what is the best time to ask someone to log in/sign up.  Do you think it is before they perform the action (for which signing up is required), after they perform the action or as part of the action itself? 

We have tried all three on our site and haven't noticed a real difference in our metrics.


19 Aug 2010 - 12:39pm
Dana Chisnell


  First, it depends on the action users are taking. Important: Authentication is *always* enabling. It is *never* a primary task for users. No normal person actually thinks of authentication as a goal for accomplishing something. (Okay, your CSO might, but he's Paranoid.) So, the key is to make authentication as invisible and integrated as you can make it. (And I'll bet your metrics reflect this.) Any time there's a login tacked on rather than designed in, it's a disruption, an obstacle to the user getting to what she wants to do on your site. What designer would purposely hinder a desired interaction? (Especially if it has to do with spending money on your site.) My design guideline would be Let the user do as much as possible on the site without authenticating explicitly. Authenticate only at the time the system must have it to avoid security risk and not a moment sooner.

  Then ask, *Why* are we authenticating users? Are we risking something? What? Are users risking something? What? If the answer to any of those is "not much" then take that into consideration. And vice versa.

  Also, look at the user's context. Is this at work or part of work? Is this authentication done frequently or infrequently? What else is going on for users at the time you're authenticating them? Is it on a desktop, laptop, or mobile device? Remember that on average, people have between 15 and 25 passwords they use in any given day. Do you want to be one of those? Does your product *need* to be one of those?

  Next, consider the support costs. Can you build the security in up front, elegantly integrating it, perhaps using users' actions to identify and authenticate them rather than having them take deliberate steps to authenticate? Then it's a development cost. If it's tacked on, then password recovery becomes a major support cost. If it's needlessly strong or complex, it's a support cost, and not necessarily more secure.

  Look at examples. Posterous, for example, doesn't require authentication or much in the way of registration to start a blog. You just send in an email with the content you want in your first post. Boom, you're up. Instapaper doesn't require a password. Why would it? You're storing links to things you want to read later, without any personally identifying information. Amazon authenticates the transaction after it has identified the user. After you've purchased one thing on the site, the next time you go back, it will let you keep going until it sees you doing something different or it needds more information. That's why one-click works -- it is looking at the actions the user is taking on the way to completing the purchase. For example, if the customer ships to a different address from the usual, that prompts the system to ask for the credit card information again.

  How *not* to do it is a lesson you can take from the US Treasury. Ever tried to buy a savings bond online? It's the same registration, authentication, and purchase process whether you're buying a $50 bond for a high school graduate or you're an institutional investor buying TBills. You get the idea, I'm sure.

Good luck,



20 Aug 2010 - 8:04am
Ania Powers

I am not reallly sure what do you mean by "Do you think it is before they perform the action (for which signing up is required), after they perform the action or as part of the action itself?"if signing up is required to perform the action, how could they do it afterwards?

Anyway, it depends on what users are signing for, I'd say, and I don't think there is one general answer.
If you compare paying utilities bills and online store, in first case most of users will have bookmarked the page with their account (not necessarily the provider's home page), and the amount they owe will be right there - they just need to login and pay, while in online store they first need to choose the product before doing any action which may require signing up.

Plus, the same person may use different paths depending on which coputer s/he is using - his/her personal one, where s/he has stored passwords, bookmarks (different lading page), option "keep me signed up" checked, or public one (in the office, friend's house, library, where all the process will most likely start from the main page).

Syndicate content Get the feed