Joshua Stengel

Everything...Is going...
To be okay!

Problem: Existing users will try to create new accounts

A typical web-based authentication system will have two options--Sign In (a path for existing users) and Register (a path for new users).  Potential problems for users arise when they don't know if they have an account, or they have tried to sign in unsuccessfully and decide to try to create another account.  Typically, when an existing user tries to create another account, they get an error message or some instructions for recovering their information.  The user may or may not bother with the effort.

Consider this...How likely is it that an existing user, when trying to create a new account, will use the same or similar information as when they first created their account? Now, imagine if you simply allowed the registration form to also act as a sign in form. Or, make the sign in form step one of the registration process.  It should be easy attempt an authentication using the information in a registration form and bypass the actual creation of a new account if an existing account is found, so why not do it?

I know what you're thinking...what if the user *doesn't* enter the same information.  For example, what if the username is different but the provided email address matches an existing account.  Create a trigger that starts the necessary account recovery process and notify the user what is happening?

By allowing authentication to happen in a registration form you can potentially:

  • Unobtrusively sign in existing users who didn't know they had an account.
  • Save user frustration by triggering the login recovery process for them using information they already provided.
  • Prevent abandonment by users not willing to make the traditional effort.

What do you think?  Anyone doing this or considering this approach? Why/why not?

Posted: Jun 02 2008, 04:26 PM by jstengel | with 2 comment(s)
Filed under: , ,

Comments

rajbk said:

Make the registration process two step.

The first step asks for their email address. If the email address is not found, take them to the second step of the registration process. The registration step should collect a secret question/answer field and if possible, other personal information about the user.

If the email address is found, the user is told that an account with the email address already exists and they are taken to the password recovery page. On the password recovery page, the users is prompted for a secret question or other personal information and if they get it right, a temporary password to the email.

A caveat is that a user will be able to create multiple accounts using a different email address/different information. This is possible with most registration based websites anyway.

I would not attempt authentication based on the information in a registration form - sounds risky. The only ways a person should be logged onto the system are:

a) valid username/password

b) knowledge of secret question/answer etc

c) password reset by admin after verifying the user

You could add more checks (roadblocks) depending on how secure you want the process to be.

In addition, don't forget CAPTCHA like this one: http://recaptcha.net/

This could grow into a long comment so I am stopping for now:-)

Raj

# June 2, 2008 8:34 PM

jstengel said:

Thanks for the good comments Raj,

I know it *sounds* risky to just use the information from the registration form, but is it really?  Is the username/password somehow more valid on an official sign in form as opposed to the registration form, or does it just *feel* more valid?

I would argue the source of the credentials is not relevant, in many cases, to authentication--valid credentials are valid credentials. Now if "valid credentials" means more than just a correct combination of username/password, then maybe this won't work but the majority of authentication schemes just rely on username/password.

I've use the method of asking for an email address first as well and that's not a bad way to go.

# June 3, 2008 10:57 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)