Lock Account After 4 Failed Tries. Good UX or Bad UX?

A thought regarding situations where UX competes with Security.

Imagine this situation.

You need to log in to a rarely used but essential online service.

You enter your email address and then type what you believe is the right password.

“Wrong Password or Email Address” says the website.

You try again with another possible password.

“Wrong Password or Email Address” says the website.

You try one more time with some other likely password.

“Wrong Password or Email Address” says the website.

You also get another condemning message.

“For your security, you’ll have one more attempt before your account is locked”

Alright. So clearly, you don’t remember this password, or maybe you did a typo in a previous attempt, but now you can’t retry any of those passwords because your account will get locked. So the only logical thing to do is to reset the password.

So you do that. You get an email that says, “Click Here to Reset Password.” That takes you to a page that prompts you to enter a new password, so you do that.

You can’t use a previously used password. Try another password.

Sigh…


Ok. So some facts about this particular situation. If you’re trying to access a service in a regulated industry where security is critical (like banking), this is pretty much an unavoidable scenario. At this point, you should be using a password manager anyway, although most people don’t (https://www.statista.com/forecasts/985146/using-password-managers-in-the-uk).

But what if this is not a security-critical service? Is locking an account good UX or bad UX?

One could argue that anything done in the spirit of security is good UX in essence. So although it’s frustrating for the customer to reset their password, they are being protected in a world where password leaks happen every day, and people still re-use their password across multiple services (https://www.zdnet.com/article/44-million-microsoft-users-reused-passwords-in-the-first-three-months-of-2019/).

But the reality is that this scenario is very frustrating. It feels like bad UX even though it’s 100% a user-error derivation.

But here is an alternative view of the problem. Most people will try for several minutes to log in to an account before they finally concede that they don’t know it and go through the process of resetting it. Why let users fail miserably multiple times when there’s a method available to regain account access?

When I think about it, I feel that giving a warning to the user that their account might be locked is just the equivalent to telling them, “Dude, you don’t know the password. Just reset it and stop being stubborn.”

You got to appreciate that subtle sincerity, the same way you understand when a friend tells you that you’re fucking up something (you might not like it, but it’s what you need to hear at that time).

So my opinion is that this is a good UX that feels bad. It’s like eating your vegetables when you’re a kid. They are good for you, but they taste terrible.

Regardless of what’s your opinion about this situation, I think we can all agree that passwords, in general, are a broken experience that never feels good. But for now, we can do at least some things to make it slightly better:

  • If you’re a user, consider buying a password manager. They are not perfect. But they’re better than the default “password on your mind” experience.

  • If you’re a developer, consider giving users alternative authentication methods like email magic links. Substack and Slack do it. Many more should.

For more random thoughts, follow me on Twitter: @whoisjuan.