Hackpads are smart collaborative documents. Join Hackpad Now.

Joe Lanman

24 days ago
Unfiled. Edited by Joe Lanman 24 days ago
Caroline J
  • Task list (understand the task before you start)
19 days ago
Unfiled. Edited by Joe Lanman 19 days ago
Joe L
  • this makes email address a requirement. What do we do with people who don't have them? Or share an account. I would recommend they open one and provide links to Gmail, Outlook. I think the complexity of supporting alternative models is too great and could impact too much on the large majority.
650 days ago
Unfiled. Edited by Caroline Jarrett , Joe Lanman 650 days ago
Decide on a policy for usernames
Usernames must be unique and easy for users to recall. 
You can:
  1. ask people to use an email address as a username 
  1. let them create their own username 
  1. create a username for them
Caroline J
  1. suggest a username based on some other attribute
  1. use some combination of the previous options.
Email addresses as usernames
We prefer to have email address as an option for username because of all these advantages:
If you choose to offer email address as an option for username, then read about asking for an email address 
Email addresses have some disadvantages:
  • people change their email addresses, and may not recall that they used an old email address with your service
  • you can't use them publicly, for example Twitter usernames are used in profile URLs, and to @ mention people
If you have thoroughly researched the users of  your service and discovered that they all have email addresses, for example because they are all specialist users who use the service only for work, then you may not need to offer any other option. 
User generated usernames
Caroline J
  • Joe Lanman I've done all the editing that I'm planning to do on this page... comments welcome
You can ask your users to create their own username. This option is  most useful when: 
  • people prefer not to use their email address or don't have one
  • the username will be part of their online identity, for example where the service has some social element
In research for GOV.UK Verify, we often observe people trying to use their full names (with spaces) as usernames. 
If you’re letting users create their own usernames, 
  • make sure they know what they can or can’t do (use spaces for example). 
  • provide support for people whose preferred choice has already been taken.
Service-generated usernames
One  solution to the problem of users generating unsatisfactory usernames is to have the service create a username for them. This might be:
Joe L
  • what do you mean by 'unsatisfactory'? How about "the problem of a username being already taken"?
Caroline J
  • a reference number or similar that is related to a particular transaction
  • based on their name or some other data that is entered by the user.
A service-generated username has the obvious problem that it has been made by a computer, not by the user. It is unlikely to be memorable. It may be acceptable for one-off use, but is unlikely to work well for use of the service on repeated occasions. 
If you decide on this option, then you must ensure that you have excellent support for people who’ve forgotten their username.
Decide how to help people who’ve forgotten their username
Some people will forget their username, particularly people who:
  • use your service infrequently
  • use many different services or
  • have low digital skills. 
Consider these recovery methods:
  • asking users to provide one or more security questions when they set up the account, then answer them to retrieve the account
  • send an account recovery code to a phone associated with the account
  • send an account recovery link to the email associated with the account
Decide whether to allow people to change their username
Some people will wish to change their username. Examples:
  • it is an email address that is no longer available for them
  • it reflects a name that they no longer use
See also:
Young people... 
Brian Hodgson can you add any evidence to the above?
People with unstable lifestyles / poor people ...
  • if people are homeless or in and out of work etc then they may not have, or may not recall, email addresses. 
  • if  money is short then several people in a household may all share access to the internet and hence share an email address. 
Old people...
  • are more likely to have low digital skills
  • are less likely to have access to a computer
  • may not have an email address, may share an email address with other members of the household, or may have an email address but not know what it is or how to use it. 
Also:  even amongst those of us who use email regularly, we may not recall  which email address we used for a service or remember all of our email  addresses. Example: I had to look up a business email address that I use  rarely, but had to resurrect this week because my primary email account  suddenly took against someone and I didn't want to use my personal or  government email for that particular discussion. 
  • Examples from elsewhere
  • TV licensing avoids the requirement for username by allowing users to access their license details using
  • TV Licence holder's last name
  • TV Licence or Customer number
  • Postcode of the licensed property
Caroline J
  • AirBnB.com   offers sign up with Facebook, Google, or email address/password. For a   few years, they allowed members to see each other's email addresses -   then they realised that this revealed part of the access credentials.   They now encourage members to use their internal messaging system to   avoid revealing emails
  • Skype   asks users to create a 'Skype name'. They discovered that some   infrequent users created a new Skype name each time they wanted to use   the service
  • Twitter offers users a selection of available usernames based on the user's name and email address. 
Tim P
  • References
657 days ago
Unfiled. Edited by Tim Paul , Joe Lanman 657 days ago
Before using implementing an email confirmation loop, you should first try other forms of validation.
Ed H
  • I see it that they've shown they have access. They could be using a partner's address, or a friend's address.
Tim P
  • Or they could have had their account hacked
  • Log them in, but take them to a page explaining they need to confirm their address - no other page should be accessible
  • Show the address the email was sent to
  • Provide a way of resending the confirmation email.
  • When a user clicks on the email confirmation link
Some commercial services start users in a non-blocking loop initially, gradually transitioning to a blocking loop.
  • What's the rationale with time-dependant verification loops? Eg where you have to click the link within a certain amount of time or your account is deleted? I guess it's a way of avoiding lots of dormant accounts that might have been set up by bots?
Joe L
  • using sign ins such as google or facebook will mean that the email attached to the account is verified. However these third party sign ins don't test well for government services (not serious enough)
565 days ago
Unfiled. Edited by Joe Lanman 565 days ago
Joe L
  • Peter Noble wouldn't 'qualifications in circus arts' be the most descriptive text for the link? But yeah, I think in the case of linking to both organisations, the bolded text looks fine. A possible alternative:
Organisations that run part-time and full-time courses in circus arts:
24 days ago
Unfiled. Edited by Joe Lanman 24 days ago
Use this page to discuss that guidance.
Joe L Passwordless accounts
While it's right to avoid accounts unless absolutely necessary, government also needs to keep any sensitive information safe and only show it the right people (normally just the user involved and people processing that data). Currently we advise all services to create a new account system in this case, which is bad for the user as they will need to remember many usernames/passwords. In my mind there are two options:
  1. We recommend passwordless accounts based on users existing email accounts
  1. GOV.UK Verify provides a 'basic' account
Currently, GOV.UK Verify asks for proof of a persons identity - this is rightly an in-depth process. However not all services need this, and it's against guidelines to ask for data that's not actually necessary for a service. So a good alternative for now might be to use 'passwordless' accounts that send a time-limited token to a user's email address, as used by services including Slack and Medium. We would need to check this is compatible with government security policy.
In the future, GOV.UK Verify might offer a more minimal 'basic' account that would be suitable for this purpose.
Use this section to show and discuss research on how to improve this pattern
David S
  • It would be good to add something around third-party services, i.e. "login with twitter/google/facebook." I assume these would not be an option because of information leakage (telling facebook that bob@foo.com was interacting with XXX government service), but I think guidance to that effect would be useful.

Contact Support

Please check out our How-to Guide and FAQ first to see if your question is already answered! :)

If you have a feature request, please add it to this pad. Thanks!

Log in / Sign up