Proposal for better login UX

My experience is that logging in to an Elgg site is very painful for a significant number of users. This is not because Elgg is especially bad at the UX, but because the standard for login/registration UX doesn't meet the needs of today's users. I run an Elgg site that is meant to be a secure place for non-technical folks to sign in and discuss sensitive community-relevant updates. The standard Elgg login experience is simply not meeting the necessary UX bar right now.

Current state of affairs:

  1. Access to an email address is required to log in to Elgg
  2. To verify access to email the first time, we send a verification link (email-with-secret-code).
  3. Verifying email after that is usually using a password, unless someone forgets the password (all. the. time.), in which case we fall back to the email-with-secret-code approach.
  4. Because of 3, access to an email address is sufficient to log in to Elgg
  5. Often times, people have multiple email addresses and can't remember which one they used to log in.
  6. Even if you accept usernames, people also can't remember the username they used. Often it's identical to the username part of the email they used, but then there's still the "which email" problem again. If it conflicts with any existing accounts on the system, they have to pick a slightly (or very!) different username, which is then harder to remember

Some comments I've heard users tell me they're doing or suggest to me to ease the login experience:

  • We have a bunch of people (think 12+ people in a sub-community) share the same account info.
  • Can't we just have one username and password for everyone?
  • Simple passwords (easy to remember but also short and easily guessable)
  • I just use the same password for everything so I don't forget! (facepalm)
  • Asking me in person to help them log in or reset their password (despite the very obvious -- to me -- "forgot password" option) on the sign in form.
  • Giving up entirely -- they just can't figure it out

We are driving people to use seriously unsafe hacks to get around the hassle of logging in. I encourage you to assume the same kinds of things are happening on your site unless you have done actual testing and found otherwise.

Some insights:

  • Sending an email is not the only way to verify ownership or access to an email. OpenID/OAuth can do this too, which is a better UX.
  • I despise the Nascar-effect of social login widgets, and apparently users to do

The proposal:

  • Ask only for users' and email's during registration/login. Instead, utilize follow up forms where users can enter more profile info as the motivation for doing so becomes clear. There's very little technical reason to require more than an email.
  • Detect and utilize OpenId/OAuth/etc. when possible (preferably without requiring admins to also register with all the IdPs they want support).
  • Only fall back to passwords/email-verification if the OpenID/OAuth/etc. options don't work.
  • Suggest previously used accounts for returning visitors
  • Track failed login attempts to quantify how much trouble people are having

What I'm looking for:

  • What are some alternative login flows you've tried to improve success rates? Which has been most successful?
  • Is there any reason this approach would be a non-starter?
  • Would anyone like to help build this?
Feedback and Planning

Feedback and Planning

Discussions about the past, present, and future of Elgg and this community site.