The God Login Checklist

Jeff Atwood over at CodingHorror wrote an expansive post about optimizing user registration, login and related website functionality for ideal user experience. In short, the best login would be no login at all, but until then there are a variety if things you can do to raise the bar on your registration and login experience.

The God Login is a great read and I wanted to put it in a simple checklist so that developers can audit their current login features and spec new ones with as many of these important aspects as possible. Thanks Jeff!

1. Users can register/login using site-appropriate federated (OAuth) integrations (Facebook Login, Google+, etc)
2. Users can always login using an email to identify their account. Usernames are an optional alternatives.
3. User sees ‘Account not found’ message when attempting to login with an email that is unknown. (Don’t be ambiguous about account existence for security reasons)
4. Users can switch easily between Registration and Login forms
5. Use consistent call-to-action language throughout the site for ‘Login’ and ‘Signup’ functions. Whichever terms you pick, stick with them.
6. Verify that the Email/Username and Password fields are compatible with form-fill functionality in each of the major browsers.
7. Password field shows ‘Caps-lock’ indicator when activated
8. Enable ‘Reveal’ Password feature for browsers that support it
9. Provide autocorrect hints for mistyped email/domains ‘You entered person@gmal.com’. Did you mean person@gmail.com?’
10. Disallow insecure passwords including too short, common passwords, same as email, etc.
11. Users can complete login/registration form with keyboard only: field-tab-field-enter
12. Rate limit all registration, login, password reset attempts
13. Log all registration, login, password reset attempts