We've been looking into adding Remember Me functionality to Siteflex login boxes across our websites. Having an option to remember a user's credentials encourages repeat visits and the use of a website's login-required functions.

However, is that really the best way to go about things? There are a few schools of thought on the topic. Let's have a look at the four main options and their associated risk vs usability...
 

1. No Remember Me box, logged in by default. Users remain logged in unless they specifically logout, always! No need for a Remember Me box. Come on, it's 2010!
   
   Pros: Given ideal conditions and not completely sensitive data this is ideal for usability, with the user experience being seemless and no additional options to consider when logging in.
   
   Cons: However, sometimes logout buttons can be hard to find, glanced over or not even considered. We've observed that many users (especially those without much technical experience) expect that closing the browser window will end their session and log them out, which isn't the case here.
   
   This option opens up a higher level of risk of a user's personal data being accessed by unwanted parties, becoming a risk in situations such as logging in on public computers.
   
    

2. Remember Me box, ticked by default.
   
   Pros: The next best thing to the above is allowing an opt-out on this default behaviour. This is great because the majority of users, we have observed, use the Remember Me functionality where it is available and where it actually works (I'm looking at you, Twitter).
   
   Cons: Is this really the default beahaviour you want for ALL users? Those users without too much technical experience are unlikely to change any of the options presented to them, and these are often the exact users you will want to untick the Remember Me box.
   
   Users that do not want the website to remember their details must tick the box each time they login, although this can be managed via a browser cookie (assuming they are enabled). Thought required, slowing down the user experience.
   
    

3. Remember Me box, not ticked by default.
   
   Pros: Allows anyone that knows and can accept the consequences to opt-in to the website remembering their details. The responsibility is now on the user to be aware of their situation (ie. if they are using a public computer). For those users who aren't sure, they are unlikely to change the default option presented.
   
   This option also mirrors our own thoughts on Mailout or Newsletter subscriptions being an opt-in rather than an opt-out, an approach we generally take with the Siteflex Mail module.
   
   Cons: We've observed that the majority of users opt-in to Remember Me, so overall this is a backwards step for usability. Thought required, slowing down the user experience.
   
   
    
4. No Remember Me box, logged out by default.
   
   Pros: The most secure option, since there is no additional option for remembering details. The responsibility of remembering login details then relies completely on the browser or third-party applications - which still applies to all of the above situations additionally. No additional user interface options to confuse / slow down the experience. No additional security risk.
   
   Cons: Usability is diminished for a majority of users who want this functionality. Mass chaos with people using the Retrieve Password function on a weekly basis. Cats and dogs living together! etc.
   
   Due to lessened usability, user behaviour results in using passwords they've used on other websites more often, decreasing security further.
    

Currently Siteflex sits at option 4, the most secure option, with consideration of moving to option 3. Do you agree? Let us know in the comments below! As a lot of the time the best option is dependant on the site's content itself, we could potentially allow each of four options be available on a site by site basis.

...the high risk for the few outweighs the minimal gain of the many.

Of course when it comes to securing personal detail it often comes down to a certain level of caution from the user themselves. Unattended computer terminals, stolen laptops (and, increasingly, smart phones) will remain an issue no matter the website's chosen approach to helping users better access their personal details.

Australian J-Award Winner Tame Impala weigh in on the issue below with a sweet lick.

Some further reading for the extra keen:

• Blossom the lovely stars, the forget-me-nots of the angels. (Giant Robots, Aug 2009)
• Has the time come to kill the “Remember me” check box and just assume that people using shared computers will simply logout? (37signals, Sep 2009)
• Survey results: Websites that keep users logged in (Purecaffeine, Dec 2009)