I work in a company that has four mobile apps. Those apps have an iOS and an Android version.
Also, we have the main website.
Having registered, users can log in to the main website or any of the apps. They can also retrieve the password both on the main website or in the apps.
Right now, our password recovery workflow asks the user's email and then (if a user with the entered email is found) sends an email with a recovery link. This recovery email can be used just one time and has an expiration time of 24 hours.
The problems that we are facing are, for example:
- users don't receive the email,
- users receive it but it lands in spam,
- users click the link in email after it has expired,
- users receive the email, click the link, which opens in a mobile browser, they change the password, but then forget to use it to log into the app,
- etc.
I would like to know if there are any "new" password recovery workflows. For example, sending a push notification with a pin code, or sending a deep link to the app in the password recovery email, etc.
Any idea would be appreciated.
Thanks in advance.
Answer
I think that changing the whole password recovery system may be a lot of work, so I would suggest adding some quick fixes to the problems you have pointed out.
Users don't receive the email
This may be due to several circumstances:
a typo in while providing the email during the password reset process – you can address it by adding an email syntax validation,
they may have used another email address than the one used during the registration – you have two ways to address this problem: first would be checking if an account with this email exists, and giving User the information if it has not been found in the system – however, this leads to security and privacy flaw, so in many cases it is not the best way to go. The second option would be to at least give them this kind of information on the password recovery screen:
Not received the recovery link?
You may have used another address during the registration. [Try another address]
Users receive it but it lands in spam
This is something that you should probably approach from two sides:
- check your mail server credibility – use a certificate to sign the emails and so on,
- tell your Users to check the spam folder – this would be topping-up the previously mentioned message with additional information:
Not received the recovery link?
Check your spam folder.
You may have used another address during the registration. [Try another address]
Users click the link in email after it has expired
You can easily fix this one, with an information in the page the link leads to saying:
This password reset link has expired. Would you like to send another one?
[Resend the password reset link]
I believe User would not need to enter the email again.
Users receive the email, click the link, which opens in a mobile browser, they change the password, but then forget to use it to log into the app
Two solutions here:
as you mentioned, deep linking to the app would be a good solution, and it could either regard the password reset link that would be done in the app or you could redirect the User to the app after they perform the password reset – the link would need to include a token that would automatically log them in.
an easier, yet less effective way, would be to inform Users that they will need to log in to the app. You can do this either before they start the password recovery process, or on the "set new password" screen, or on the screen that appears after the new password is set:
You have successfully reset your password
Use it to log in to the apps or the website.
No comments:
Post a Comment