Passwords are often one of the first interactions your customer has with your application, and they aren’t going away anytime soon. Consider:

• 70% of people rely on username and password as their primary authentication method, according to the Ping Identity 2018 Consumer Survey.
• While advanced authentication methods such as biometric login are increasing in popularity, the adoption rate hovers around a mere 10%, according to the same study.
• 29% of Americans answered “too many to count” when asked how many password-protected accounts they have.
   

But as ubiquitous as they are, password implementations often go wrong, creating poor user experiences while weakening the protections around the data within. It’s important to get passwords right when developing your customer application—or you risk a huge toll on both security and customer experience.

Guidelines for a Great User Experience

Password Policies
For security purposes, you may be tempted to impose password conditions such as a complicated mix of special characters, length limitations and password changes every 8 weeks, but your customer is liable to end up at best annoyed and at worst frustrated to the point of abandoning your app entirely. And the thing is, many of these conditions don’t make the passwords any more secure!

Instead, we at Ping Identity recommend that your password policies follow the latest NIST guidelines for passwords, or what the organization dubs “memorized secret verifiers.” These include forgoing complex password rules (e.g., characters from certain categories) and periodic password changes, and instead setting policies that encourage more user-friendly passwords. For example, allow passphrases that tend to be longer and thus harder to hack, but are easier to remember. Enable copy-paste when entering a password, so people can use password managers more easily. And if a user does try to create a password that doesn’t follow your policies or enters an incorrect password when attempting to log onto your app, make sure any error messages they receive are accurate and easily understandable.

Furthermore, to ensure as smooth a user experience as possible, you may wish to apply varying authentication requirements across applications. For example, you may want a simple sign-on process for less risky applications and to step up users via multi-factor authentication (MFA) for higher-risk applications. PingOne for Customers handles this by allowing you to orchestrate authentication policies that you can completely manage via REST API calls, enabling you to evaluate policies on an app-by-app basis and determine specific sign-on actions for each.

Password Resets
Another potential cause of enormous customer frustration has to do with lost passwords. You know that stat we mentioned earlier about users having too many passwords to count? The same could be said about users having too many passwords to remember. Inevitably your customers will need to recover forgotten passwords—especially in today’s world, where users commonly switch between devices when accessing applications.

To ensure you get the password reset experience right, you’ll need to craft a user-friendly one that puts control in the hands of your customer. By embedding APIs into your application that enable self-service, users can easily recover accounts with password reset flows. These critical self-service capabilities aren’t just easy to securely embed into your application—they’re easy for customers to use.

Password Management & Encryption
To create the best user experiences, it’s important that you, the developer, are able to take full control of password administration within your application. You don’t want to have to make sacrifices in order to fit your password system’s capabilities. Good password management means you have the ability to easily:

• set and update user passwords
• check if user passwords are expired
• validate user passwords against policies
• unlock a user’s password
• view the number of password-attempt failures remaining before an account is locked
• delegate administration to control access to sensitive user data like passwords
• and more
   

PingOne for Customers allows you to do all this via REST APIs, making API calls for a variety of password-related functions. The following code snippet shows how this works. To get information about a user’s password, simply substitute your environmentID and userID variables into this REST API call:

In addition, PingOne for Customers takes care of identity security—for example, it ensures that passwords are encrypted—so that you can focus your energies on your core competencies and get back to what you enjoy doing as a developer.

Try Out the Password Capabilities of PingOne for Customers
When building your own application, you shouldn’t have build identity services as well. To see for yourself how PingOne for Customers handles your password requirements while creating a smooth and secure customer experience, download a free trial.