Streamlining sign in
‘What is there to fix?‘
To get started, this project was done for Cryptlex which is a SaaS company that offers a locking mechanism of sorts to Software Vendors. The service is used by different users with different roles.
- Super Admin (Account Owner)
- Administrators & Tech Support
- Customers (Individual users and Organizations)
The edge-case
Signing in is straight forward till we introduce a particular edge-case. A Super Admin could be an Administrator for another Super Admin’s account, in which case, signing in will require a username, which is the email address in this case, a password (till the FIDO Alliance takes over with passwordless), and an account identifier.
The existing solution was to have two sign in URLs, one for Super Admins, which is ‘app.cryptlex.com’ and another URL for Administrators and Customers, which contains the account identifier required for them to sign in.
Problem
The Super Admins and the Administrators are ultimately signing into the same application known as the Admin Portal. However, both of them have to access the application from separate URLs, which led to a lot of confusion, as indicated by the number of support tickets.
The Customers are signing in to a different application called the Customer Portal to view and manage their software purchases(licenses). This application is usually whitelabeled by software vendors using custom URLs and their own branding, to ensure a seamless Customer Experience for their Customers where they do not have to bother knowing about Cryptlex.
References
This is not an uncommon problem, the idea of separate workspaces exists in many applicaitons, including Slack.
Tests and iterations
Just use what Okta does
Okta had a good solution, especially one that created the correct mental model upfront so we decided to test it. We adapted the above user flows as follows:
- Enter your email
- Select the account
- Enter password
- Press sign in
- Redirected to Admin Portal if credentials are correct
I found the above flow to be the most correct when it comes to creating mental models but a majority of our users do not have multiple accounts and they found the added friction to be tiring and unnecessary.
Just use what Slack does
Alternatively, we could have a single set of credentials to sign in and then allow the user to choose which account to access. However, due to security reasons and varying security compliances on different accounts, we could not choose this method.
Solution
After testing multiple combinations of user flows, we found a user flow that neither upset the users with single accounts nor cause any issues for users with multiple acocunts. While the solution was supported by all users, I was not particulary happy about how it portrays the incorrect mental model. The user flow is as follows:
- Enter your email
- Enter your password
- Press sign in
- Prompted to select account (if multiple)
- Redirected to Admin Portal if credentials are correct
As part of this change, we also planned to remove the cryptlex.app URLs to prevent any further trust issues caused by redirecting from cryptlex.com to cryptlex.app.
Acknowledgements
I would like to thank:
- The Domain Name System for allowing 127 levels of Subdomains.
- Matej Latin for his extremely helpful case study at GitLab
- Pablo Stanley for the Open Peeps library