User System Design

So whenever we make any working system first thing we do is set up login system or at least we can say that in general terms. Developers give least amount of thought and time to User System Design. They are more focused on app features(which is good as long as you don’t ignore the basics of app UX). For whatever reasons User Design gets their least attention. But you should give serious tinkering to user system design. Actually for most purposes user system design is like one of those things, learn once properly and then apply it to other systems. For most part it will be more or less same.

Also login on surface appears quite simple put two fields first for username and second for password and then you validate. But it just appears on surface. Since login is basically gateway to other system so gate-keeping must be strong as in computer security , a system’s strongest point lies in it’s weakest point. Let me explain , say for what do you need for user system at very least Login , Registration and finally Reset password. Now this is very minimum and we have not reached moderators or app admin. So if i had to ask which one will be the in order of increasing complexity out the these three options

1. Login, Registration and Reset password
2. Login , Reset password and Registration
3. Registration , Reset Password and Login.

If you answer is not 3 I am sorry I have bad news. Login at basic just appears to have two fields which is username and password and other non required fields like remember me and reCaptcha. I think you should not logout the user unless your application built into military , hospital or other super critical applications. I mean no body likes passwords. It’s simple as that. As for reCaptcha I think it should  appear only once the user failed login attempts say 2 or 3. Though I suggest make it 5 and then lock the user for an hour and fire an email notifying the user. Hell i suggest even better ask for email and then send link to login the user into system I see some websites using this and I think it could be more popular that is .  But unfortunately this is not yet widespread.

So let’s move back to original approach of logging in user via username and password. There are lot of things to consider before you login user into system and you have to account for many things at once .Doesn’t mater if you did military grade hashing with salt if there is sql injection or even system can’t detect and prevent brute force attack or use previously used secure token it all falls like house of cards. But here is good part at Evildevelopers we use either ASP.NET MVC or Laravel. Both are not only secure but provide basic authentication for out of the box. Like literally out of box. What if you want to develop from start you could do that, I repeat you could do that but you should not. Why same reasons we don’t and guys working at these frameworks do , security. As I have said earlier security of any system is strictly defined at it’s weakest point.

Less form fields make best registration

Treat users like child or more importantly teenagers. They don’t forgive easily and they get quite frustrated easily too but most importantly they have attention time span of millisecond. So make sure registration involves very very less fields if you could simmer it down to you 2 email and password. If you can do this then is nothing short of achievement, other pieces of information should be extracted on demand or later on. But first get them on system that’s most valuable thing. Once they are on system then slowly slowly ask them for information. But don’t gush them with information asking. Reason in this world everyone just wants to get things done.

That’s it. So less fields and that too on when absolute requirement. So less fields in user system design checked!

Reset password ,but how many times?

So user forgets password ,well first blame strictly on login and passwords. But here comes the second question should reset password should have any affect on user login that is locking the user out of system , i say no. Because user resetting could be done on three reasons

1. User forgets password
2. Attacker have malicious intentions

Now in first scenario user may have logged in other devices or browsers , why lock him out. Let that user sessions be alive so that he could work there even after changing password. So even if user has actually forgotten password don’t lock him out. For second scenario when system is about to come under attack by that bot or even single person last thing we need is hurting our user experience. So never lock out the user.

Now how to handle the reset password I suggest as many as possible as long as previously reset urls are used.Even if they are not used i suggest allowing 2 or 3 reset passwords. Reason systems are slow and users are impatient especially under those circumstances. So if they have not used their previous reset url notify them and ask them to use that first and also make sure those reset url’s life is short say around 1 hour.