It's pretty common to get emails with links like the following:
- Your package shipped, click to track
- So and so sent you a friend request, click to accept
- Your order is complete, click to view
I'm usually annoyed when I click the link and have to login, especially on mobile devices.
Frustration: the information usually isn't that sensitive.
It's beyond me why LinkedIn requires me to login to accept a connection.
Frustration: the sensitive information is already in the email.
Amazon, the tracking number is in the email, why do I have to login to view the tracking information via Amazon's system? This probably is a problem in about every system that sends tracking information.
If you inline the details of my order in the email, why require me to login to get the fancy PDF?
Frustration: I (or anyone) can reset my password with the same mechanism the link was sent.
If someone compromised my email they can reset my password. Some could argue I'd know my password was reset, might not matter if the information is that important.
Frustration: I only have to login on a mobile device.
If I don't have to login on a desktop, make sure the same happens for mobile.
Frustration: your "mobile friendly" redirect pooched the link
Make sure redirects to a "mobile friendly" version of the site don't pooch my ability to follow through on a mobile device (LinkedIn...)
Recommendation: One-time passwords
Many of these links include a random identifier and are prefixed with https, not http. I like to think of these as one-time passwords to access my account. If it makes you feel more secure, only allow access to the part of the account pertinent to the link.
Consider expiring links once the action is executed (accepting a friend request).
Consider expiring links after a time period if the information is sensitive (bank statements).
Why the fuss?
Because these emails are clogging the inboxes of the world, waiting for us to get back to, like we don't have enough of those already :). I'm of the mentality Do it or Defer it. The easier it is to Do the more likely I'll Do it instead of going to the trouble to Defer it.
- "But after you add a friend, the system may want you to write on their wall or do some other thing?"
- No problem, the link is basically a one-time password to access my account, have the link open the site to do that.
- Or, prompt me the next time I login to the site.
- "What about bank accounts"
- Banks usually require more than email to reset a password, so I'd suggest either an expiring link or logging in, I'm usually not too annoyed by authenticating when accessing my bank account.
- "What if someone else gets the link"
- How did that happen? Probably a bigger problem than accepting my friend requests.
- If the link is over https, if someone man in the middles that, they can man in the middle your username and password too.
- No one is shoulder surfing a GUID.
- Others? Please send them, I'd love to consider how I may be blatantly missing something of importance about this topic :)
- "What about services that follow links to make sure they aren't viruses?" Ryan Ohs
- Good point, in these cases if the link is an action I'd recommend having an "Accept" (fried requests), or some sort of "Are you sure". Probably a good idea in the event someone accidentally opens the link too.
- And of course only expire the link after the action is executed
Seriously consider sending links that don't require logging in, when it makes sense, it'll make everyone's life easier.