Put The Login on the Front Page
What’s more important? Attracting new customers or keeping the ones you’ve got? Almost any sales text will tell you that it is far, far easier to keep an existing customer than it is to recruit a new one. In fact the cost of attracting a new customer can be measured. The exact cost varies from depending on what it is you’re selling and what industry you’re in, but you usually don’t even make your money back until the third or fourth sale, especially on relatively low-priced consumer goods.
Given this simple fact of business, you’d think that online businesses would do everything they could to make life easy for their existing customers, especially when they can do so at almost zero cost. You might think that, but sadly you’d be wrong. I remain amazed at sites that manage to recruit customers and retain them for multiple transactions but still can’t do one simple thing to make these customers’ lives easier:
Put the login on the home page.
Two commerce sites I use on a weekly or even more frequent basis are BlockBuster and Fresh-Direct. These sites depend on repeat business. Fresh-Direct even offers to pay new customers $50 up front. Clearly it’s only the repeat customers from whom these sites have any hope of making money. So why is it that their home pages are geared exclusively to new customers? To actually login and shop (or rent) I have to follow a link, type in my username and password, and press a button. Why? Why put this extra page in my way? All they have to do is put the user name and password box somewhere obvious on the home page like the upper right hand corner. Save me the click.
Fresh-Direct has tons of space. Its home page is almost Google-like in its sparseness. Blockbuster’s home page is a little more cramped, but they could easily lose a few hundred square pixels of pointless graphics to add a simple login form.
Some sites do get this right. java.net puts a login box on the home page, and almost every other page, even though they aren’t selling anything; and you don’t have to be logged into the site to use a lot of it. Fresh-meat and Slash-dot also have their login prominently displayed on the home page. Amazon surprisingly doesn’t. This is one of very few things they do wrong.
But overall, it still seems too uncommon for home pages to include the login button, even on the sites that legitimately require logins to use them to their full extent. Come on folks. Can’t you give your loyal customers a break? For just a few minutes stop thinking about what your site looks like to potential customers, and spend a little time thinking about what it looks like to your existing customers. Focus on making our lives a little easier for a change.
May 9th, 2006 at 8:11 am
There is a problem though — security.
If you serve a login box over plain HTTP and post the data to HTTPS (as java.net in fact does), a man-in-the-middle attacker can simply redirect the HTML form and intercept your password; this is not much more difficult than intercepting a password sent back over plain HTTP. How many end-users are so vigilant as to check the action string of every form they post?
In other words: you can’t send a login form over plain HTTP.
There are three alternatives at this point:
1) simply forget it and log in over plain HTTP
2) serve the entire homepage over HTTPS
3) serve a secure login form in an iframe
Option 1 is very bad form for a company that has your creditcard number. I wouldn’t want to do business over such a site, and I don’t think you would either.
Option 2 is a scalability disaster.
Option 3 puts an (unacceptable) hit on accessibility.
As inconvienent as an extra page may be, it is a necessity (but of course no guarantee) for a secure login procedure that does not involve sending the entire homepage over HTTPS.
May 11th, 2006 at 11:14 am
Fact o’ the Day: Number of “Man in the Middle” attacks on large, known companies: Zero.
May 13th, 2006 at 8:37 am
As far as I can tell, that’s entirely true at this time. (discounting various govt. agencies in all parts of the world)
If you pointed out that trojans and spyware are a much larger threat to one’s credit card than any man-in-the-middle attacker, I’d have been the first one to agree.
That doesn’t change anything about the flawed principle I pointed out. Every weakness is exploited at some point.
May 10th, 2011 at 1:56 pm
Barend – I know this is ancient and you are unlikely to still be following this, but your argument does not make much sense. The only way to do what you are saying would be to change the HTML on the home page to have the form point at a different target. The type of attack you make reference to is not something that can do this.