

New Approaches To Designing Log-In Forms - cwan
http://uxdesign.smashingmagazine.com/2011/08/22/new-approaches-to-designing-login-forms/

======
Tichy
Revealing user names (As in "you are trying to log in as Luke") is usually
considered a security issue, though.

~~~
phlamb
This was my first thought as well. I thought it was bad when it just verified
that you had used a correct username after attempting to log in, then I kept
reading and saw the auto-complete combobox of usernames...

~~~
pbreit
My first thought was: what about duplicate names?

~~~
trafficlight
Then it just gives you the available passwords as well. You select the right
combination. Easy peasy.

------
typicalrunt
So for the Quora login form that determines whether someone's email address
has already registered on the system... What's to stop me from: \- looking at
the source code, \- finding the JavaScript call to the REST service that
checks for an account \- writing a script to loop through all well-known
domains and usernames?

Tada! Instant email scraping tool.

~~~
typicalrunt
Actually, I re-read the article just to make sure that I wasn't being too
critical. I'm not. The author doesn't mention any security risks/benefits
associated with the new login form designs.

It reminds me of the time when a former boss asked me to add authentication
onto the company intranet. She wanted to know who is logging in and viewing
private documents, but she didn't like typing in or remembering passwords so I
could only ask users for their username and "trust" that they wouldn't type in
someone else's username instead. For some (probably most) users, security
isn't on the forefront of their mind, so they need to be reminded of it.

------
yesimahuman
Here is another one I've experimented with: No passwords. You get a login key
in the first email we send, or you can request a new email to log in.

Your email is the weakest link in a lot of password-based schemes anyways, but
this approach is less secure and a bit confusing.

~~~
pagekalisedown
This is a great idea, but is it hard to implement with non-technical users?

~~~
yesimahuman
I would just say that people aren't used to it. Also you need to decide how
you want to send the email. Once on signup (long-lived token, not
recommended), once a day (weird, annoying), or on demand (user gets email
instead of entering password).

I think it's interesting but in practice passwords are more secure and people
are used to them.

------
bitdiffusion
I was always under the impression that security trumps user-experience in the
majority of cases - what happened to trying to prevent malicious users from
harvesting user names by using captcha, non-specific error messages etc? Maybe
I've had my head buried in the security game for too long...

~~~
owenmarshall
Security _should_ trump UX. In practice, though, UX almost always seems to
trump security concerns.

~~~
wpietri
> Security should trump UX.

In my view, security is just another part of the user experience. For one's
bank, it's surely a large one. For most web services, though, it's pretty
tiny. As a Quora user, I'm perfectly happy for them to increase usability
substantially at the cost of a minor increase in risk.

------
ianhowlett
I wouldn’t be happy, as a user, if I saw that information like this was made
public about me on a site.

------
thatjoshguy
If you mistype your email address in Facebook, it will suggest your correct
account on login fail. I'm not sure if it just does this blindly, or if it
tracks where you are logging in from.

------
lambada
Didn't Facebook get bad press a while ago for revealing the user's name and
profile picture when an incorrect password was entered?

