This site uses cookies for essential analytics. You can accept or reject cookies
This site uses cookies for essential analytics. You can accept or reject cookies
When it comes to forms, the biggest pain that users have might surprise you. It is actually re-logging into their account on a website.
Companies add in methods of authentication and layers of security that are a barrier to accessibility. Let me give you some examples.
I had a Vodafone account for my broadband and mobile. I swapped to a different mobile provider and kept my broadband with Vodafone. Despite my number remaining the same, I could not log into my account for a few months because my phone had been removed from the account when I switched - and the only way to authenticate log in to my account was by receiving a text message.
It is not that this two-factor authentication is a problem, but poorly designed two-factor authentication is. When there are multiple levels of authentication - username, password, and then a second layer of a text message confirmation - there is a lot of information to receive and remember which presents a challenge to certain user groups.
For me, authentication codes which I have to copy and paste manually are very difficult. For some authentication processes, this code is not logged automatically, meaning I might need to write it down on a piece of paper before typing it in and this is even harder if the code is time-sensitive. I particularly struggle with alphanumeric codes, making the whole process very frustrating.
Some companies have much easier methods. If I call Amazon, they will send me an authentication code in multiple ways. With Google, it will give you a pop up to authenticate your account. These are the best methods because there is no cognitive load and I do not have to get my glasses out to look at the authentication - it is just easy.
If you are already a customer and already logged in, then why do you need this additional authentication? If you have an app for your doctor, and are logging in with your fingerprint on your device, then why do you need to be authenticated with a separate app every 3 months? These methods make the barrier to access higher and harder, which means certain user groups struggle.
The biggest pain point on websites is logging in and having an inappropriate level of authentication to be able to access information. I encourage companies to only add in those extra levels of security if they are truly needed. There should not be this really complicated barrier to getting logged in. It presents a major accessibility issue for users with cognitive impairments, older users, and people like me with dyslexia.
These methods of security and authentication are an accessibility issue due to cognitive load. Every new layer or method of logging in ‘securely’ adds cognitive load to users who may already be struggling.
If you are using the same email for different accounts with different companies, it is good security practice to use a different password for each account so you can protect yourself.
But while I typically have a password pattern I use to help me with this, maintaining this pattern can be difficult because the criteria for different passwords with different companies changes. Passwords might need to be a certain length, use or not use certain characters, and so on.
This adds another layer of cognitive load not only to remembering the password but thinking one up in the first place. The most common password is still password123 and there is a reason people do that!
I typically have a password pattern I use to help me remember my logins, or you can use password managers to keep track. However, some companies block these and will not allow you to create an account if you store your password in a password manager.
There was a scenario I heard of where due to the complexity of the password criteria, the need to change the password every 3 months, and a ban on password managers led to a very insecure situation. The people in the office ended up having sticky notes with their password written on them stuck to their computer screen. Sometimes you can make security so complicated it is not security any more!
I do not have the ability to remember a 6 digit alphanumeric code. Maybe I could when I was 20 years old, but now I cannot, and neither can my mum. As a dyslexic person remembering these codes is hard. Not everyone struggles with this but many do, so companies should consider making this authentication process easier by trying some of the techniques mentioned in the next section.
The biggest thing I have a problem with is when I am helping my mum complete a form, and she does not have the typing speed needed to complete any form that is timed. She cannot swap between different apps or windows to get the information needed in the short time that is given. Timed forms may seem like a meaningful way to add a layer of security to a login, but it is an accessibility barrier to users who simply cannot type or act that quickly.
It is important to use an appropriate level of security and authentication when a user logs in, but this must be balanced with how accessible the whole process is. There are some great examples out there of how the pain of logging in can be reduced for all users, not just those struggling with cognitive load.
Some organisations, such as Deliveroo, give you the choice to log in using your password or a magic link sent via email. A magic link is a URL that contains unique, time-limited embedded tokens so the identity of a user can be verified without needing their password. You can learn more about what magic links are and how they work in this article by Descope.
Amazon uses a magic link for second level authorisation if you are speaking to them on the phone. This is a better, more accessible log in as you only need access to your email address or device to log in. You do not have to remember a code and access to the email is the authentication.
Another method of authentication is device recognition. Most banks - Monzo, HSBC, all the big banks - tend to use this method. You log in once, you put your password in, and you are asked for authentication. Your phone is already registered as a device with the bank, and to access the app you have to use whatever authentication is built into your device, such as biometric log in.
But you do not have to be a bank to use this method. Google is a good example of this. When you have already created a Google account and you are logging into a new device, or your authorisation has expired and needs renewing, it does one of two things. You either receive an ‘approve/decline’ notification on an approved device, or a notification which gives you a choice of code or a picture to ‘match’ on your other device.
Because the code is only two digits, the images are simple, and you get a multiple choice of the option that works for you, there is minimal cognitive load to get you into your account. This is an example of step-up authentication, where a simple login is the first step and stronger verification is only used when absolutely necessary.
If you are a company that encourages users to create an account with you, check your data carefully. You may see that people are creating accounts, but then not coming back, or using telephone support instead. This indicates there is some cognitive load with the login process that needs to be considered.
It is important to understand that when you are creating security around logging in, you may not be protecting who you think you are protecting. If the password of a user is on a sticky note on their computer, or they have to ask someone else to help them log in, their account is no longer secure.
What you have to think about is what information you have about your customer, the appropriate security that is needed to protect this information, and the balance between this security and usability.
Consider your user and how precious their information is. Data privacy is important, and there are multiple ways of retaining data privacy while also making logging in accessible and simple. The most important thing about creating an accessible log in process is testing with a wide range of users.
And never forget your grandma. If she can log in to an account on your site with autonomy, then you have created a good system.
If you found this information useful and need help. Book a Free Consultation
