Why UX Matters or How Color (and other) Choices Can Ruin an Identity Experience for Users

I’m not writing this to shame a company, though I do plan to share this post with them in hopes that they can make some adjustments that will benefit customers in the future. As such, I’ll do my best to mask their identity as much as reasonably possible.

Before doing so, I want to back up a second. When I am attempting to convey to someone how critical digital identity is to their product or service, I start with this premise: The experience of managing their digital identity is often their very first interaction with your product or service. If a login is required, it is usually the proverbial front door every time they use your service. Getting that right, consistently, is critical to your success.

Sunday, last week I had an interesting UX lesson in how colors can influence user choices and, in this case, result in a horrible experience trying to manage an identity/account. To be clear, it wasn’t just colors that created the experience, but I’ll illuminate the additional issues below.

Due to an illness, I was trying to access my remote care service that let’s me speak with a doctor for basic first aid/primary care. It is a terrific service for times when I have poison ivy (usually once a year) or an average ear infection (not yearly, but pretty common). It usually saves me a primary care visit and I get a script called into my pharmacy pretty quickly. In some years, I talk to them more than I do my primary care physician. It is usually a huge time and money saver.

To expedite receiving a call, I have a profile setup thru their website. I did this a few years ago. Today, I tried to login, but they had changed their website since I last visited (I think), and this is what I was presented with (pardon the masking, but trying to be helpful, not critical):

Now, bear in mind, this particular case was kind of urgent. So time was of the essence. I quickly looked at the screen and couldn’t quickly remember if I was considered a client or a member. Now, the bright blue color login is for members, but the bright blue section below it correlated to businesses trying to partner with them. That created some confusion so I chose the white login button for the client login portal.

Using my 1Password shortcut, I attempted to login. No luck, bad username or password. My username is a little complex, so I tried a few more times for good measure. No joy. Well, the website had changed, maybe they force a password reset every so often, like after design change and maybe I missed the notice or it was dumped as spam. So I initiate a password reset, and get this screen.

Seems straightforward, so I input my username and email address. The system accepts my parameters and I get a reset link sent to my email address. I click on the link and get this:

That’s odd. Naturally, the security geek immediately starts wondering if I have a man-in-the-middle attack going on, so I attempt it again. Same result. Once more, no luck.

At this point, I just call the 800 number to request a call. After a wait of about 40 minutes (unusual, given my previous experience) I get an attendant and we navigate the process to get a doctor queued to call me.

Now, it may be blindingly obvious to some (clearly, not me) that I may have gone to the wrong portal. I never thought to go back and attempt to use the member portal instead. At the time, I didn’t even think there were two portals. After talking with the service operator, she initiated a manual password reset for me and naturally told me to go to THIS page:

A ha! I’m masking this page some, but the rest of the screen makes it quite clear this was enabled for customers of the service. Naturally, armed with my new password I was able to login and update my password and security question. So I was off on the wrong branch of the site flow the whole time. A single, understandable, but ultimately incorrect choice resulted in almost an hour of wasted time. Besides the lessons learned for yours truly, I think there are a few for the vendor.

First, proper error handling is one of the first key tests for an effective user experience. If I’m using a valid member portal user ID on the client portal, maybe test the ID against the member portal and offer to redirect? That would have avoided this entirely.

Second, while I don’t know that their identity stores are unified or linked, I was able to initiate a reset of my member user ID’s password from the client portal. That’s bad. Had that failed, I might have at least suspected my ID was messed up and gone a different route. Again, checking that ID against the member portal may have saved a step here. Either way, accepting the member portal ID as valid and sending me a reset link to the client portal that kicked back with an expired token reinforced the idea that I was in the right place but something was broken. This ultimately ties into lesson one regarding error handling.

Next, reconsider the color choices on the main page. Perhaps align both the member login color with the member solicitation screen? And perhaps align the client login with the client solicitation color. Consistent coloring can reinforce users choices when they are unsure.

Also, maybe reconsider the ‘client’ term vs. member? I realize the website eventually clarifies, but maybe consider the term ‘partner’? Member vs. Partner is a pretty clear distinction. I don’t think this is critical, but it could be useful. I know patient isn’t in vogue these days, but the patient portal likely would have landed me in the right spot.

Finally, some language on each portal page to assist the user if they selected the wrong portal might be beneficial. The client portal in particular is fairly sparse. They do a good job with the member portal (if I had actually clicked on it).

Now, in full disclosure, I now also have their mobile app installed, which has a significantly better user experience. If I were to guess, it is designed for members only. Therefore, the confusion I had with the dueling web portals couldn’t happen. It also has TouchID/FaceID integration so that’s even better. Aligning the UX of mobile with the web site would be a nice next step to get an even greater consistency for the customer. They should also market their mobile app on the web page.

So, in reality, 2-3 hopefully minor changes could improve this vendor’s client UX considerably. I was fortunate, and persistent, so this ended well. But, what if the user was put off by the wait time and the password reset problem and went to the ER or Urgent Care (this happened on a Sunday) instead? That was a huge difference in cost and opportunity cost for whomever was behind me in line.

While this dealt with a more serious type of service experience, businesses undergoing digital transformations should consider hiring people that can look at these flows (better than I do, as I am not a UX expert) and give them proper guidance. Even if your service is selling t-shirts or fidget spinners, helping your users navigate your service easily from an identity context can be the difference between a sale or a closed browser. Or better, you’ve created a repeat customer.

Deploying Identity Solutions – ‘Field of Dreams’ Doesn’t Work

(Note: this topic is background for a panel that I’m participating on June 20th at the Cloud Identity Summit, in Chicago, Illinois. I wrote this in hopes of informing some of the context around the panel, though I’m sure it will be revisited in some respect during our session.)

Knock, Knock: Identity is here. Identity Who? Exactly.

Tuesday, June 20th, 4:20pm, Chicago Ballroom IX

The genesis for this panel took place during dinner following the Ping Identify conference in New York. Rob Davis from TIAA & I were talking about some of our challenges in deploying identity solutions, especially ones where customer, stakeholder, or developer engagement are required. In other words, pretty much everything except directory synchronization. Even governance solutions, like certification or privileged access management, that had the benefit of the ‘stick’ approach to service adoption; seemed to lag in engagement even when doing so wasn’t necessarily voluntary. You could lead the horse to water (you knew there would be a horse analogy, right?), but you couldn’t make them drink.

The simple reality was, this is no ‘Field of Dreams’. We built it, but they didn’t come to participate. Password recovery and management solutions are probably the easiest one to point to as an example of this failure. Nearly every enterprise worth their salt has deployed a password management and recovery product and yet password recovery is perpetually listed as the number one reason users call the help desk!

Rob & I both agreed that this would be an excellent subject for a talk at CIS. So I commenced finding the right people that could both explain their own challenges in this space and hopefully offer up solutions that might help others, including myself, succeed in the future. Between Rob & I, we had both financial services and healthcare/life sciences covered, but I wanted diversity of perspective. Through some networking, I think we put together a really great breadth of knowledge and experience across many industries. In addition to yours truly, we also have:

Bernard Diwakar – Security & IAM Architect at Intuit

Frank Villavicencio – CPO, Security Management Services at ADP

Steve Hutchinson – Principal Identity Architect at GE

And finally, no panel is successful without an awesome moderator, so naturally I asked Ian Glazer of Salesforce, Kantara, & IDESG if he’d do the honors in spite of his incredible schedule at the conference. Some promise of bourbon may have been part of the exchange, but in the end I think we’ve got a killer lineup of identity pros that will share their wit, wisdom, and experience on this important subject.

But wait! Part of what will make this a successful session is great questions and shared experiences from the audience. So bring your own stories and let’s make this a conversation!

Unfortunately, the scheduling gods put Rob’s talk against the panel, so we had to go to the bullpen. See you in Chicago! If you can’t make it, follow the action using #CloudIDSummit tag on Twitter.