• Remember Me, Remember Me Not

    Mon, Apr 7, 2014

    Having an option to remember a user's credentials encourages repeat visits and the use of ecommerce features and other personalised website functions. However, what are the risks with introducing such a feature?

    Back in 2010 we looked into adding Remember Me functionality to standard login boxes across Siteflex websites. This same discussion remains as relevant now as it was back then, hence we are taking another look at the four main options and weighing up the risks vs usability...
     

    No Remember Me box, logged in by default.


    Users remain logged in unless they specifically use the logout feature. No need for a Remember Me checkbox. Come on, it's 2014!

    Pros: The user experience is seemless with no additional options to consider when logging in, hence this is ideal usability given the user is not accessing sensitive financial or personal data. This option is also multi device friendly as the user's process is consistent on each device.

    Cons: However, sometimes logout buttons can be hard to find, glanced over or not even considered. We've observed that many users (especially those without much technical experience) expect that closing the browser window will end their session and log them out, which isn't the case here.

    This option opens up a higher level of risk of a user's personal data being accessed by unwanted parties, especially in situations such as logging in on public computers.
     

    Remember Me box, ticked by default.


    Pros: The next best thing to the above option is allowing an opt-out on this default behaviour. This is great because the majority of users, we have observed, use the Remember Me functionality where it is available.

    Cons: Is this really the default beahaviour you want for all users? Inexperienced users are unlikely to change any of the options presented to them, and these users are often the exact users you will want to untick the Remember Me checkbox.

    This option may not be ideal for repeat visits or for multiple devices. Additionally, as with any choice presented to the user, the user experience is slowed due to the additional consideration required.

     

    Remember Me box, not ticked by default.


    Pros: Allows anyone that knows and can accept the consequences to opt-in to the website remembering their details. The responsibility is now on the user to be aware of their situation (ie. if they are using a public computer). For those users who aren't sure, they are unlikely to change the default option presented.

    This option also mirrors the preferred functionality on Mailout subscriptions. That is, a mailout subscription should always be opt-in rather than an opt-out.

    Cons: We've observed that the majority of users opt-in to Remember Me, making this is a small backwards step for usability. Thankfully the user will only have to do this every so often. Regardless, we are still presenting the user with an additional option that may be confusing, slowing down the process of logging in.

     

    No Remember Me box, logged out by default.


    Pros: The most secure option, since there is no additional option for remembering details. The responsibility of remembering login details then relies completely on the user, possibly assisted by the browser or a third-party application. No additional user interface option is presented to confuse or slow down the user. Multi device friendly given it's absolutely consistent.

    Cons: Usability is diminished for a majority of users who do not want to be forced to type in their details each time they want to sign in to the website. Mass chaos with people using the Retrieve Password function on a weekly basis. Cats and dogs living together! etc.

    Due to the impact to usability with not providing a Remember Me function, user behaviour results in using passwords they've used on other websites more often. This option increases external risk by giving the user more chances to mismanage their credentials (insecure email, bad or common passwords, post it note passwords).

     

    Remember Me?

    So how does Siteflex approach these challenges? Currently Siteflex provides the fourth option by default, but we are looking to change our default to the third option: Remember Me box, not ticked by default.

    The best option for any particular website is often dependant on the website's content itself. Ecommerce websites are more likely to look to the options that minimise not only the risk of a user account being compromised, but also the potential effects of it. For example, further locking down key areas such as changing password or modifying an existing order are ways to tackle what happens when a user account is compromised.

     

    ...the high risk for the few outweighs the small gain of the many.


    Securing personal details will always come back to a responsible level of cautionary measures from the user themselves. Unattended computer terminals, stolen laptops and stolen phones, will remain an issue no matter the website's chosen approach to helping users better access their website account.

    At the end of the day a compromised user account is a likely situation, all we can do it minimise the risks.
     

     

    Further reading: