UX designers and coders take note: nothing will frustrate your users more than being asked for login credentials and being told that they’re wrong.
This is especially true when the user (me) is trying to enter a long alphanumeric password on a tablet with a stylus. Every time the user sees “username and password don’t match”, they will naturally assume that they’ve hit an extra key or capitalized something accidentally, and will grumble to themselves as they try again. Things get even more fun when the password field is masked with stars to prevent shoulder surfing.
It’s pretty easy to humble your user this way. So easy, in fact, that you should spend time analyzing the user’s task to see if you’re asking them the right questions and giving them enough help…
Case in point: Google Play Store. I have a very low cost (cheap) tablet on which I managed to load the Google Play packages. When asked to login to my Google account, I received the very helpful response “username and password do not match”. I attempted to login several times with my normal credentials and failed every time. There were any number of reasons for this to have failed (including the fact that my tablet was unsupported, ahem), but the real reason was ridiculous:
I use Google’s two-factor authentication.
Logging in to Google from a new computer usually means entering my username, password, and then a 6-digit number that is sent to my cellphone over SMS. If I enter the user/pass incorrectly, the error would be “username and password do not match.” If I enter the 6-digit number incorrectly, the error would be something like “incorrect PIN.” This is straightforward proposition: enter your Google username, your Google password, the PIN that Google sends to you; if you get something wrong, you entered the user/pass incorrectly, or you mistyped the PIN.
Google Play’s device login, however, doesn’t mention anything about PINs or two-factor authentication. A naive user, like myself, assumes that he must enter his normal Google username and his normal Google password. But that’s wrong. Normal username, yes, but you must enter your “application specific password”.
What’s that? Rather than implementing the SMS PIN step, Google lets you create a sort of special password that you only use on mobile devices or desktop apps. There are many good reasons for doing this; it’s extra security against rogue apps or compromised devices (not exposing your main Google credentials), it saves developers using Google APIs from having to rework their products, and the application specific password is only made of lower-case letters so that mobile users won’t have to fiddle with entering special characters.
Good reasons, all of them. But it all falls apart at the user interface. Users are dependent on the UX designer to give them the information they need for the task. Failing to mention mention that “password” could mean “application-specific password” is a big omission. Google’s support site does mention the issue, and users of 2-factor authentication are told in advance to expect this behaviour, but that doesn’t cut mustard.
Now, back to my under-powered plastic tablet and its slight violations of terms of service…