We may be on the cusp of a revolution in how we use passwords online.
The primary push is to make two-factor authentication the standard for users to identify themselves and obtain online access. This security approach, also known as “2FA” or “2-step verification,” requires a password and some other personal ID, like having to use a bank card along with your PIN (a password) at an ATM, or a password plus a biometric, e.g., fingerprint or voiceprint.
The W3C, which creates standards that guide development of the Web, has embarked on a project to replace passwords. Its proposal it to move to a system that resides in browsers and requires the user to provide 2FA tied to the device they are using. When you visit a website, a sign-in prompt would direct you to your phone to authenticate who you are. That signs you in securely on your computer.
The 3WC proposal is a long ways off. But in February, credit card firm MasterCard said that by this summer it will accept selfies and fingerprints as an alternative to passwords when verifying IDs for online payments. Users will download an app to use the system.
Banks are moving to biometric ID systems, as well. HSBC, for example, is set to debut fingerprint and voice recognition systems, and the British banking group Lloyds has developed a heartbeat recognition device to replace passwords.
Even President Obama has weighed in. As part of the new Cybersecurity National Action Plan, he said in the Wall Street Journal, “In partnership with industry, we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords – adding an extra layer of security like a fingerprint or codes sent to your cellphone.”
Which is all a windup for me to ask, if passwords are passé.
Why the hell do I still have to enter my password twice to do business with so many websites?
Enter My Password? You Have It Already!
Yeah, let’s take a look at double- or dual-entry password fields and how much they are annoying your customers and costing you conversions.
Because I know I’m not alone. If your e-commerce site asks customers to enter a password and then to confirm what they’ve just entered, you are pissing people off. And you are running them off.
In a case study of its requirement for users to enter their passwords twice, Formisimo said “over a two-month period our password-repeat field was responsible for over a quarter of all the people that abandoned our sign-up process.”
More than one in four potential customers said forget it rather than re-type a password.
Formisimo, a company that provides form optimization services, also said they saw “hundreds of corrections” in the “Confirm Password” field. This included customers going back to the field to make a change and clearing the field to start over.
Once they dropped the Confirm Password field and added the ability for users to see their password as they typed it, overall conversions jumped by 56 percent.
Fourteen percent more visitors started the form than before and 35.5 percent more who started it completed it. And, corrections dropped by 24 percent.
The Formisimo authors also said the changes saved users time and did not cause any increase in the rate of requests to reset passwords.
In a separate blog post, Formisimo paints the problem of requiring users to re-enter passwords that are masked (covered by bullets or asterisks):
Problems with this ... include that if the passwords do not match, the user has no immediate grasp on where they made the mistake, so may in fact have to retype both. Given that users will typically make a mistake every X times they enter a password, asking them to enter it twice increases the probability that they will make a mistake and, as already mentioned, they may have to correct this mistake twice.
So "confirm password" may not be the best option from a usability standpoint ..., and it will certainly affect more numerical indications of form usability, like time taken to complete it, and corrections.
What isn’t measured are the ill feelings of those who put up with the double duty but are annoyed just enough to not make the buy you were counting on.
So why do it? Why make us enter a password twice? And why make us do it without seeing what we’re typing? Is it just to annoy people?
The Problem with Passwords is a Forced User Error
Of course there are valid reasons for making us type passwords twice and for hiding them as we do it. And I’m not rolling my eyes as I type this.
“The primary reason is error prevention,” says Formulate, another form optimization firm. Asking you to type it twice ensures you really are entering the password you mean to enter and use.
And masking is “to prevent someone seeing a form-filler's password by looking over their shoulder.”
So, yeah, I’m not rolling my eyes, but I am sighing.
Formulate gets it, sort of:
(S)ome users find double entry patronizing. The existence of double entry suggests that the form-filler cannot be trusted to enter information accurately. As such, requiring double entry may compromise the establishment of trust between the form-owner and the form-filler, trust that is important for maximizing conversion.
Right. But since we’re not giving you the credit for knowing whether once again you are being spied on, your password must be hidden from the world. This means you’re more likely to make a mistake typing it – “hence more reason for double entry.”
Hence more reason! Sonofa ...
Just let us see what we’re typing. And just make us do it once.
Besides, as Sitepoint explains, masking doesn’t guard against malware installed on the user's device, or keylogging technology, either of which can be used to steal passwords and are, unfortunately, more prevalent than shoulder-surfing.
As Sitepoint and Formulate suggest, and Formisimo found, the solution is to allow the option to unmask the password and let the user decide whether it’s safe enough to do so.
Further, doing it with a toggle-switch button (below) as opposed to a checkbox or radio buttons creates a better user experience.
It’s a Matter of Trust – Trust Needlessly Lost
But let’s not gloss over the trust factor mentioned above and the damage done to it by dual-entry password fields and masked passwords. It not just that you’re telling your customers you expect them to do it wrong if you don’t catch their mistake.
As Jakob Nielsen of the Nielsen Norman Group wrote years ago, masking typed-in passwords does lead to more errors, which makes users trust themselves less.
“This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business,” he says.
Further, these less-confident users you are lucky enough to retain are more likely to type in passwords that are overly simple, or to copy and paste passwords they are already using elsewhere. “Both behaviors lead to a true loss of security,” Nielsen says.
In other words, simple or overused passwords leave the site more vulnerable to hackers. (Making customers change passwords too often makes them less secure, too.)
And if this is true, can’t we all just start from the position that we don’t trust and don’t want to use a site that requires double-entry password registration?
Double-entry password requirements and password masking are unnecessary. As Nielsen says, it is a holdover, default technique from early days of the web. It’s just easier for an e-commerce company to leave it or to go with what they see everyone else doing.
But it’s not better. And it is costing you.
I recently wrote about form optimization and how to identify and eliminate friction that is spoiling the user experience. I put eliminating double-entry password fields at the top of my list of the easiest changes to make.
Passwords are on their way out completely. Heavyweights like Google and Apple are among hundreds of companies working toward that goal, but it’s not going to happen overnight.
For the sake of security, to engender trust, to create a better user experience and, ultimately, to stop damaging your conversion rate, get ahead of the curve today.
Get with your development team and, at the very least, test those forms and let the data tell you to get rid of any dual-entry fields on your site. Make a good hypothesis to reduce friction and anxiety, and allow users to unmask passwords as they are typed in. Your conversion rates will go up and you might just be put in charge of finding more optimization all-stars for your marketing department.