Ask HN: Best user model for a web application?
What are the evolving best practices for new web applications that need to authenticate users? Which of the following do most users prefer?
username (short alphanumeric, no spaces, not an email)
email address
full name (longer, allow spaces and unicode)
social auth (eg. FB connect, OAuth)
The classic username/password is low friction but lost passwords can't easily be dealt with. But if you use email for auth, you still need some kind of username or real name in order to refer to users without publishing their email address.What sites do you know of that do user account management very well? Very poorly? Any pointers to good research on this from a user perspective?
4 comments
[ 2.9 ms ] story [ 21.3 ms ] threadFB auth might not be appropriate for B2B and github login wouldn't be appropriate for a non-dev user base.
My guess is that you need to think about your users. Who are they? Why are they using your app? Your goal here is to reduce friction and you can only do that by offering options specifically selected for your users.
As an actionable, go find someone who you expect would find your app useful, ask them. Find your competitors and see what they're doing - even better if you find something missing.
I've been thinking on this on my app, and I don't really need to know who they are, in fact I would prefer they couldn't use whatever they normally go by on other sites (prevent name squatting, spoofing, etc), that there clearly is no assumption by username/handle you are communicating with is who you think they are. So minimally I would want:
User Name (handle) Email or Text number (verification) Login password
Now, thinking on no previous usenames, to reduce the instance of actual user name/handle I plan to require a first and last user handle with one of either being a name from a supplied list of generic names, the other something they come up with.
The list of names would include stuff like this: 'Coyote' ,'Crazy' ,'Desert' ,'Doc' ,'Dog' ,'Farmer' ,'Forrest'
In answer to your question, if it was a different app I'd do something completely different. You have to get in the mind of your audience and your revenue source of what would be appropriate.
My primary intent with requiring registration is to deter (a little) spam or bots or just bad behavior. Most content is readable anonymously but to POST to my database I want restricted to registered accounts.
I suppose email with a verification step is the best way to go but increases friction and requires more thought to security. But it also allows for password recovery which you can't do unless you can associate an email with an account.
Well theres also message number possibility with twilio looks pretty cheap to do sms/voice verification. then you can get the mobile crowd too.