Reprinted from ASAE’s TechnoScope Newsletter, December 2009

By: Jacqui Olkin

Is cumbersome website security limiting your site’s success and hurting your relationship with site users? Here are some tips for making your website secure and user friendly.

If your website includes members-only content or other secure features, such as discussion forums or collaborative workspaces, it may be tempting to put your own security needs ahead of site users’ convenience. But site security that is not user-friendly can actually limit the use and awareness of valuable content and features and hurt your organization’s relationship with the people you serve.

The most successful websites are organized, labeled, designed, and built to match the needs, interests, and mental models of the people who use them. Security features, like all other web properties, should be created with site users in mind. If they’re not, site users may never get to the members-only features of your site or may call or email you for help. Either way, you’ll pay a price for not making your security user-friendly.

You can make your site security more usable, and encourage more active use of your site, by focusing on some of the major security features users encounter.

Usernames. Unique IDs, or usernames, can be a stumbling block to logging into secure sites, especially when the username is a hard-to-remember identifier automatically assigned by an association management system (AMS). Make it easy on your site users by using their primary email address as their username. You’ll encourage them to log in—and reduce the number of calls and emails you get about this issue.

Passwords. Passwords, like usernames, are necessary but can be problematic. It’s best to allow users to make up their own passwords to improve the likelihood that they will remember. One current practice is to allow pass phrases of up to 40 characters. A phrase can be more secure than a typical alphanumeric password, and more memorable: People who haven’t played a musical instrument since childhood may remember the notes on the treble clef (E, G, B, D, and F) because of the phrase, “Every Good Boy Does Fine.”

Some sites’ stringent requirements for password format and strength can make it difficult for users to formulate an acceptable password, let alone remember it. If you require a certain password format, make the requirements as humane as possible to save users time and trouble in the creation and retrieval of passwords.

To solve both the username and password problem, you might also consider allowing the use of Open ID on your site. This option is available for users who have accounts.

Remember Me and Forgot Password. Regardless of how user-friendly you make your username and password standards, people will forget their logons and they will expect instant help. Have a prominent “Remember Me” feature on your logon area that retains the username and password so users don’t have to type them in every time they log in. You could also provide a “Keep Me Logged In” option that keeps users logged in on their own computers. Provide a “Forgot Password” feature that sends users their password or a link that allows them to change the forgotten password to something new.

Logon area. To encourage people to log in, make your logon area easy to see, and keep it in the same location on each page of your site. An area with fields for entering the username and password is typically easier to see than a link that says, “Log In.” Make sure the username and password fields are distinct and well labeled. If the username is an email address, it can be helpful to have a note to that effect near the username field, or sample text in the field that shows an email format.

It is common these days to see the logon area in the top right quadrant of the page. The standard location for “Search” is in the upper right corner, and we don’t want site users to confuse the search field and logon fields. Make sure “Search” and “Log In” are visually differentiated and well labeled, to avoid confusion.

Logon function. When site users click a link to a secure page or feature, they should be prompted to log in and provided with the appropriate username and password fields on a new page or layer. Once users log in successfully, they should be able to access the material they originally clicked on. It sounds pretty obvious, but some sites direct logged-in users to a page that lists links to numerous secure content items and functions, forcing the users to look for what they originally clicked on. You can do better by configuring your site to retain users’ session information, which can include their identity and/or role and the pages they request during a session. Once users log in, they can be directed to the content they requested or to a gentle error message that tells them they don’t have the required access.

What lives behind the logon. Is a logon obscuring your value? Some sites put all content for members behind a logon, making it literally “members only”—but also hiding it from members who don’t know what they’ll get if they log in, and others who might become members if they could see the value of the hidden material. If there are areas of your site that really shouldn’t be seen by people who don’t fall in a certain site audience segment, by all means, secure them behind a logon. But if the content is not sensitive, it may be better to simply identify it (using metadata) as being relevant to a certain audience, industry specialty, or task and use navigation to target it more effectively.

It can be helpful to expose a portion of secure content and functionality publicly as a teaser, to let people know what is available and why it’s valuable. These teasers can encourage members to log in, and can give nonmembers a sense of what they are missing by not joining your organization. If it has marketing value, show it off a bit—even if someone has to log in to get complete access.

Single Sign On (SSO). Association websites can be interwoven systems with various integration points. The content management system (CMS) may integrate with an association management system (AMS), a customer relationship management system (CRM), collaboration tools and workspaces, RSS feeds, blogs, other social media sites and modules, journal publishing sites, learning management systems (LMS), and other applications.

Your website users don’t care how your site is constructed. They shouldn’t be aware that when they finish reading about your upcoming conference and click the “Register” link, they are passed through from your CMS to your AMS. The user experience on your site should be seamless—wherever the user clicks, regardless of security requirements. Achieving this aim is partly a matter of making your site’s visual design and navigation as consistent as possible throughout. But a seamless user experience also relies on an SSO environment that passes the logged-in users’ credentials to every web property encountered during a session, enabling access to secure areas without the need to log in multiple times.

Site users expect websites to “know” who they are, what they have access to, and even what they have done in the past and might like in the future (as on SSO supports the perception that your organization knows the people who use your site, and it makes it easy for them to interact online with you and each other.

The Bottom Line

Website security is important, but security concerns should not overshadow or thwart the main purposes of association websites—to inform, communicate, and build relationships. Make your site friendly to those who use it, and they will return the favor.

Jacqui Olkin’s company, Olkin Communications Consulting, offers web usability, information architecture, taxonomy, and content management consulting to associations. Contact us by email . Twitter: @OlkinComm