Balance User Experience and Security to Retain Customers. Long-lived sessions improve UX while reducing password reset costs.
How long should a customer stay logged in to an application? The Open Web Application Security Project (OWASP) and the National Institute of Standards and Technology (NIST) state that it's safer for customers to sign in to your app for mere minutes. Limiting your customers to hold short sessions may leave them frustrated and unwilling to come back to use your application. A pillar of customer retention is to provide both a user-friendly and secure user experience. However, balancing those two user experience components is a real challenge for most businesses.
OWASP recommends application builders to implement short idle time outs (2-5 minutes) for applications that handle high-risk data, like financial information. It considers that longer idle time outs (15-30 minutes) are acceptable for low-risk applications.
On the other hand, NIST recommends that application builders make their users re-authenticate every 12 hours and terminate sessions after 30 minutes of inactivity. For intermittent re-authentication, that session termination time shrinks to 2 minutes.
These guidelines by OWASP and NIST provide an ideal foundation to implement session security in applications. However, before you choose to extend your application's session length, it's also ideal for your team and your internal stakeholders to discuss how such a decision can impact your application's user experience.
Ultimately, balancing security and user experience is key to achieve customer retention. A tedious authentication process can exhaust your customers and discourage them from using your application. A seamless, perhaps even invisible, authentication process can instead encourage your users to spend more time with your application securely.
Auth0 offers you a feature called long-lived sessions to offset the cost of implementing a secure user experience around authentication.
One of the conveniences of email services like Gmail is that you can check your email sporadically without having to face repetitive login prompts. Imagine how tedious it would be if you had to log in every time that you go idle for more than two minutes.
For media companies, like Alma Media, customers may visit their site infrequently. Registered users often visit media sites every two weeks to consume content. Returning users who face the hassle of signing back in may opt to stop visiting the site. For a media company, losing its audience means losing ad revenue, since clicks generate payments on ads. If the revenue strategy also involves targeted advertising, media companies require a security strategy that favors maximum engagement with minimal friction.
If a company offers an essential service, its users may not have the option to leave the site. However, they may still become vocal about their dissatisfaction with the user experience on social media or review channels.
For example, a utility company may have monthly or quarterly billing cycles where end-users access its application to pay their bills. Other companies like Autotrader have customers with usage patterns that vary widely based on purchase and maintenance cycles. For any application with long periods between end-user engagement, users understandably forget their passwords.
Bypassing Server-Side Rendering Altogether For a Better Web User ... After several experiences and some changes to our workflow, we found ...
During our [open beta of Real User Monitoring (RUM) for mobile](https://raygun.com/blog/real-user-monitoring-for-mobile/), we’ve received great feedback and suggestions that allowed us to refine and enhance Real User Monitoring for mobile. The...
Learn how you can use Datadog Mobile RUM to detect errors and crashes, improve performance, and understand your users' interactions.
Why User Experience Matters for a business and its marketing is because they need to gain user traction, converting them to customers thereafter to retain these customers for staying profitable.
Over Christmas I ordered most of our gifts from Amazon. I have Amazon Prime and it is a wonderful user experience because I rarely need to worry about shipping