- Have a dedicated page for login
- Expose all required fields
- Keep all fields on one page
- Don’t get fancy
Friday, February 22nd, 2019
Tuesday, January 15th, 2019
A small but perfectly formed progressive web app. It’s a private, offline-first personal journal with no log-in and no server-stored data. You can read about the tech stack behind it:
Your notes are only stored on your device — they’re never sent to a server. You don’t even need to sign-in to use it! It works offline, so you can reflect upon your day on the slow train journey home.
Tuesday, February 27th, 2018
This post goes into specifics on Django, but the broader points apply no matter what your tech stack. I’m relieved to find out that The Session is using the tripartite identity pattern (although Huffduffer, alas, isn’t):
What we really want in terms of identifying users is some combination of:
- System-level identifier, suitable for use as a target of foreign keys in our database
- Login identifier, suitable for use in performing a credential check
- Public identity, suitable for displaying to other users
Many systems ask the username to fulfill all three of these roles, which is probably wrong.
Sunday, October 16th, 2016
Clever! By exploiting the redirect pattern that most social networks use for logging in, and assuming that site’s favicon isn’t stored in a CDN, it’s possible to figure out whether someone is logged into that site.
Wednesday, January 28th, 2015
Luke continues to tilt against the windmills of the security theatre inertia that still has us hiding passwords by default. As ever, he’s got the data to back up his findings.
Monday, September 16th, 2013
It’s sad to see MyOpenID shut down, but now I can simply use IndieAuth instead …which means my delegate URL is simply adactio.com: magic!
Tuesday, October 2nd, 2012
A great in-depth explanation by Aarron on why Mailchimp dropped their Facebook and Twitter log-in options. Partly it was the NASCAR problem, but the data (provided by user testing with Silverback) also brought up some interesting issues.
Wednesday, September 26th, 2012
I like this passwordless log in pattern but only for specific use cases: when you know that the user has access to email, and when you don’t expect repeat “snacking” visits throughout the day.
Tuesday, November 24th, 2009
Aza Raskin share's some mockups of ideas for incorporating identity management into the browser.
Friday, November 13th, 2009
Leah has some great ideas on combing "log in" and "sign up" forms into one.
Friday, September 18th, 2009
Sign up and log in
It’s common practice for sign-up forms to include duplicate fields for either password or email, where the user has to type the same thing twice. I deliberately avoided this on the Huffduffer sign-up form. Not long after Huffduffer launched, I was asked about this ommision on Get Satisfaction and I defended my position there, citing the audience demographic.
I still think I made the right decision although, in retrospect, I’ve changed my position completely from when I said,
I can see more value in a ‘confirm your password’ field than a ‘confirm your email address’ field. Thinking about it, getting a correct email address is more important. If a password is entered incorrectly, it can always be reset as long as the site can send a reset link to a valid email address. But if an email address is entered incorrectly, the site has no way of helping a user in difficulty.
Here’s an interesting scripted approach to avoiding duplicate email fields:
The last thing you see before you submit is your own email address.
Sign-up is something that user should only ever experience once on a site. But the log-in process can be one of the most familiar actions that a user performs. A common convention for log-in forms is a “remember me” checkbox. I have one of those on the Huffduffer log-in page, labelled with “remember me on this Turing machine” (hey, I thought it was cute).
Here’s a question from 37 Signals:
Has the time come to kill the “Remember me” check box and just assume that people using shared computers will simply logout?
There are a lot of arguments, both for and against, in the comments. It prompted me to think about this use case on Huffduffer and I’ve decided to keep the checkbox but I’ve now made it checked by default. I think that while there are very good reasons why somebody wouldn’t want a permanent cookie set on the machine they’re using (many of the use cases are mentioned in the comments to that 37 Signals post), the majority of people find it convenient.
It always pays to think about default states in UI. Good defaults are important:
Defaults are arguably the most important design decisions you’ll ever make as a software developer. Choose good defaults, and users will sing the praises of your software and how easy it is to use. Choose poor defaults, and you’ll face down user angst over configuration, and probably a host of tech support calls as well.
Thursday, August 6th, 2009
Another interesting take on assigning a visual clue to password fields.
Monday, February 9th, 2009
There's no such thing as a good CAPTCHA but if there were, these would be ...Best. CAPTCHAs. Ever!
Monday, August 25th, 2008
Screenshots of various log in screens on the iPhone. I think Cindy has been hanging out with Luke W.
Wednesday, April 9th, 2008
Every Google account can now be an OpenID login thanks to this app built with the Google App Engine.
Tuesday, January 8th, 2008
Looks like Flickr has some interesting plans around OpenID. Our reporter Simon Willison is on the scene.
Thursday, November 1st, 2007
Another sign up form that features hCard input (like Satisfaction). Choose a service (e.g. Flickr, Last.fm, Twitter) or enter your own URL.