This post is on the usability of authenticating to a site. Entering your username and password, what could be complicated about that? But, surprisingly, so many sites get it wrong. The “Login Test” is a measure of one specific aspect of logging in. First, the origins.
Early Access Design
Ahh, the good old days. Accessing a computer meant starting with a completely blank screen, and a little prompt saying “username:” in the upper left corner. After entering an appropriate name you will be greeted with the familiar “password:” Respond correctly to this, and you are IN! You find yourself at your “home” — a place/context where you always start from. There would be no way access or even specify a context to access before you log in.
Authentication — the act of demonstrating to the system you are who you say you are — and access to the system were bundled together. Without authentication, you got nothing, nix, nil, nada. After authenticating, you started your journey through the system. This mindset that the login point is a location in the system is embedded deep in the culture of system design.
What is so different today?
Many web-based services today offer useful information to anonymous users, before requiring authentication. Click on a twitter URL, a Facebook URL, or a Linked-In URL, and you will get access to the public representation of those things. The amount displayed in the public presentation depends upon many things: the service, the context being viewed, and settings that the owner of the context may have made. The point is that you have some limited access to the content without authentication.
Then, when you decide you want additional capability, you authenticate. Then, depending upon your personal privileges in that context, you may see additional detail about the context you are viewing, or you may gain the ability to contribute to the context. In this approach, the login simply effects only your mode of access to the system and has no effect on your context.
Why does this matter?
Some sites today are built to understand that authentication just effects your “mode of access” without effecting your location. Other sites still adhere to the anachronistic concept that you log in at a particular location which is a starting point for gaining access to the system. These two points of view are incompatible.
The “Login Test” is simple. Follow a link to the system in question without logging in. Verify the context. Then log in and see if you are in the same context. If you remain in the same context, call it a “pass.” It you end up on a different page or different context, call it a “fail.” In some cases you may need to be sure you are logged out before the initial navigation.
How do various systems measure up?
Facebook – PASS – if you happen to get a link to someone’s page or wall, you might (depending upon user options) see some basic information. If you log in, you will still be at that user or page.
Twitter – FAIL – surprisingly. Follow a link to a person’s twitter address, and you see their recent posts even though you are not logged in. Then log in, and you are moved to your own home page, with your own posts on it. This is very inconvenient if you wanted to “follow” the person you accessed first.
Linked-In – PASS – You can find a person’s public profile, and then if you sign in, you are still on their profile.
WordPress – FAIL – also surprising. You follow a link to a blog entry, and then decide to put a comment, so you log in. After logging in you are moved to your home dashboard. Have to navigate back to the blog entry to make the comment. Inconvenient.
Blogger – FAIL – navigate a link to a particular blog post without being logged in, that perhaps you want to comment on. Use the sign-in button, and you are transported to your dashboard, not left at the post where you were.
Amazon – FAIL – really surprised me because shopping before you log in is so important. But search and find a title you are interested in, then log in, and you are delivered to a page of recommendations for you. Note that they are very clever about preserving your shopping cart and recent browsing history, but you are not looking at the same item after login.
Wikipedia – PASS – search and find an article, then log in and you are still on the same issue.
Yahoo – FAIL – search the site for a particular news article that is on the site. Click the login link, and you are delivered to another, different page.
New Egg – PASS – search or browse to a particular item, log in, and you are at the same item. Nice.
Google Maps – FAIL – Search, browse, or zoom-in to a particular map. Then log in and you will see a different map. Seems odd.
Flickr – PASS – Navigate by any means to a particular photo, log in, and you are still on the same photo. They pop up a separate window for logging in, and I am wondering if that is to avoid limitations in the authentication mechanism to preserve the location.
Slideshare – PASS – Navigate to a particular slide set, or follow a link to one. Log in, and you are on the same set. Perfect!
If you run the test on other systems, share results in a comment.
Is it really fair to say that it “fails” because it follows the old pattern, and not the new? Why should all sites be expected to follow the new pattern? Aren’t there some sites that are justified in moving your location upon log-in?
I feel it is always be better to stay on the same page while authenticating. The context that you arrive at is to some sense valuable, and losing that value in order to log-in will always be a bother. A well designed web site will always have an easy way to navigate to your home context, so there is no benefit to force that automatically.
The idea that the log-in point is a location, works contrary to the idea of deep linking. Deep linking is critical to web 2.0 which requires that links work the same, whether logged in or not. The idea that logging in should move you to a different context is an inconvenience based on the anachronistic idea that the “login point” is the starting point to access the system, and that you had no access or context of value before that. In conclusion, the bias of the “Login Test” is appropriate: sites that can not preserve the context through a login should be counted as failing.