JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

1 of 77

Consumer App Auth UX�Best practices for simple and secure sign-in and sign-up

Steven Soneff

Product Manager - Google Identity Platform�sso@google.com

2 of 77

Google | SIMux | Proprietary & Confidential

3 of 77

Password?

Username?

Google | SIMux | Proprietary & Confidential

4 of 77

5 of 77

6 of 77

7 of 77

Duck by Christopher T. Howlett from the Noun Project

8 of 77

Duck by Christopher T. Howlett from the Noun Project

9 of 77

Duck by Christopher T. Howlett from the Noun Project

10 of 77

Duck by Christopher T. Howlett from the Noun Project

11 of 77

Duck by Christopher T. Howlett from the Noun Project

12 of 77

Duck by Christopher T. Howlett from the Noun Project

13 of 77

Duck by Christopher T. Howlett from the Noun Project

14 of 77

Duck by Christopher T. Howlett from the Noun Project

15 of 77

Duck by Christopher T. Howlett from the Noun Project

16 of 77

Duck by Christopher T. Howlett from the Noun Project

17 of 77

Duck by Christopher T. Howlett from the Noun Project

18 of 77

Duck by Christopher T. Howlett from the Noun Project

19 of 77

Duck by Christopher T. Howlett from the Noun Project

20 of 77

Duck by Christopher T. Howlett from the Noun Project

21 of 77

Duck by Christopher T. Howlett from the Noun Project

22 of 77

Duck by Christopher T. Howlett from the Noun Project

23 of 77

Duck by Christopher T. Howlett from the Noun Project

24 of 77

Auth UX is complex.

Did I use that?

Still have password...

Do I need to click this?

Yes, but which?

Still need this...

25 of 77

54%

Bad UX

=

Bad conversion

Registration abandonment

26 of 77

Principles of Auth UX�

Ask at the right time

Go identifier first

Make sign-up easy

Keep people signed-in

Link existing accounts

Don’t build it yourself!

27 of 77

Ask at the right time

Sign-in screens scare people away.

Pandora

I just want to try it out!

Really? Why?

Is it worth it?

What is this app?

28 of 77

Ask at the right time

First show what your app does

Captain Train?

29 of 77

Ask at the right time

First show what your app does

Let user try things before signing up

Hotels.com

30 of 77

Ask at the right time

First show what your app does

Let user try things before signing up

Explain why account creation is useful

Guardian?

31 of 77

Go identifier first

People are easily confused.

Did I use this?

Let me try my email...

Yes, but which?

Do I have one?

Not sure?

32 of 77

Go identifier first

Merge sign-in and sign-up�don’t duplicate UI!

Pinterest

33 of 77

Go identifier first

Merge sign-in and sign-up

Ask for identifier first�email address, phone number, etc.S

Eventbrite

34 of 77

Go identifier first

Merge sign-in and sign-up

Ask for identifier first

Steer to sign-up or sign-in intelligently e.g. with an identity provider, with password, etc.

35 of 77

Make sign-up easy

Every step adds friction.

Wego

Type this twice...

Do you really need it?

Why ask upfront?

Hate giving this!

Ah! More!

Why not auto-populate?

36 of 77

Make sign-up easy

Use APIs to fill info�Account Choosers, Google / Facebook Login, �Smart Lock HintRequest

Alibaba

37 of 77

Make sign-up easy

Use APIs to fill info

Ask for info only when needed�don’t ask for social or payment info upfront!

Doodle

38 of 77

Make sign-up easy

Use APIs to fill info

Ask for info only when needed

Minimize typing, avoid duplicates�search “why the confirm password field must die”

39 of 77

Make sign-up easy

Use APIs to fill info

Ask for info only when you need it

Minimize typing, avoid duplicates

Defer password creation�e.g. email user to set password later

Evernote

Hi,��Welcome to Food!

You can set a password here later, if you need it.

Thanks,

The Team

40 of 77

Keep people signed-in

Signing back in shouldn’t be hard.

Quora

Screw it, I give up.

41 of 77

Keep people signed-in

Sign existing users in automatically�e.g. Smart Lock, Facebook / Google Sign-In APIs

42 of 77

Keep people signed-in

Sign existing users in automatically

Use identifier to tell user how to sign-in�if user doesn’t have a password, let them know!

NYTimes

43 of 77

Keep people signed-in

Sign existing users in automatically

Use identifier to tell user how to sign-in

Manage and refresh sessions�e.g. user OAuth 2.0 access/refresh tokens

TBD

44 of 77

Link existing accounts

Duplicate accounts suck.

Error message

What’ll happen here?

What about my old account?

Which one last time...

Can I sign up again?

Now I have multiple accounts!

45 of 77

Link existing accounts

Check identifiers for existing accounts�don’t create a duplicate account!

46 of 77

Link existing accounts

Check identifiers for existing accounts

Help user link accounts securely�Facebook is not authoritative email provider

NYTimes

47 of 77

Link existing accounts

Check identifiers for existing accounts

Help user link accounts securely

Key on ID (not email / phone number)�user’s Google/Facebook email/phone number may change

48 of 77

Don’t build it yourself!

It will only lead to trouble.

Diagram

Ahhhh!

49 of 77

Don’t build it yourself

Avoid handling user passwords�you’ll get hacked eventually!

50 of 77

Don’t build it yourself

Avoid handling user passwords

Use (authoritative) identify providers�go passwordless!

GitKit screenshot

51 of 77

Don’t build it yourself

Avoid password DB toxic waste dump

Use (authoritative) identify providers

Leave it to the professionals!

52 of 77

let’s try it out!

53 of 77

54 of 77

55 of 77

56 of 77

57 of 77

58 of 77

59 of 77

60 of 77

Now do it a couple more times

61 of 77

62 of 77

63 of 77

Keep updated and in good working order

64 of 77

LOCs written per platform

>5k

>3k

>8k

65 of 77

Firebase

Auth + UI

66 of 77

LOCs needed per platform

5

>5k

>8k

7

>3k

7

67 of 77

Customizable UI: Theming

68 of 77

https://github.com/firebase/FirebaseUI-iOS

https://github.com/firebase/FirebaseUI-Android

69 of 77

FirebaseUI Auth

Off the shelf UI flows
Implements best practices learnt over the years at Google
Simple Customization via themes, overrides, and CSS
Open Source, hosted on GitHub
Part of the product and will keep evolving

70 of 77

Managed authentication backend

6 sign-in methods, anonymous accounts

Client SDKs for Android, iOS and Web

Server SDKs for NodeJS, Java

Console for setup and user management

Firebase Auth

71 of 77

Principles of Auth UX�

Ask at the right time

Go identifier first

Make sign-up easy

Keep people signed-in

Link existing accounts

Don’t build it yourself!

72 of 77

Thank You!

Steven Soneff

sso@google.com

developers.google.com/identity

Smart Lock for Passwords

Firebase

Auth

Google �Sign-In

73 of 77

Go identifier first

Merge sign-in vs sign-up

Ask user for their email address, phone number, username, etc. first!

Intelligently steer them to create account, or sign in the right way (with IDP, password, SSO provider, etc.)

See last year’s CIS talk.

74 of 77

One-tap sign-up

Make it easy to sign up

Get basic info first with IDP or account chooser / hint selector

Ask for additional information incrementally

Don’t let user type stuff in manually :/

Defer password creation or generate a password!?

75 of 77

Keep users signed-in

Sign-in users with existing accounts automatically

Check when app starts: use IDP SDKs, Credential Management / Keychain APIs

Trigger the right flow based on saved info (IDP auth, u/p session set-up, SSO, etc)

Use session management to keep user signed-in! (access / refresh tokens)

76 of 77

Link existing accounts

Check identifiers for existing accounts

Help user (securely) link to an existing account

Use sub (not email / phone number) when available!

77 of 77

Don’t build it yourself

Password DB in a toxic waste dump.

IDP integration is tricky: security, account linking, recovery, etc.

Use an off-the-shelf solution instead of building something from scratch!

e.g. Firebase Auth, Auth0, AccountKit, etc.