My Meteor startup connects patients to nurses. Patients come to the site and they have to create an account, and verify their email address, and only then they can send a message to a nurse.
i’m starting to get Google ads to work, and now I get phone calls from people who want to talk to a nurse right away. Sometimes the website signup procedure is too arduous for them and they leave. I’m trying to find a fast way to get them started.
What if I text them a temporary password that they can change later. And they can go to a special Quickstart page where they can enter their email address and the temporary password and then get straight to messaging a nurse. They won’t be asked to verify their email address until a later date. Maybe the temporary password expires in 60 minutes.
Does that seem dicey from a security point of view? Or, from a UX point of view? Are there better ways to do this? Thanks very much in advance for any thoughts and advice!
Why not use something like accounts-passwordless | Meteor API Docs?
Alternatively, or in addition, use as many Oauth services as there are supported (Facebook, Gmail, etc.), with a possibility for users to link their accounts in case they log in with different services at different times, and you should cover a good chunk of the market.
Congrats on getting busy! It’s a good problem to have
1 Like
Verifying an email address is a bad experience because you are forcing the user to leave your app and open another app and look for your email that might not land on the inbox (I am already here, why are you asking me to leave?). One solution that we implemented to minimize the steps required from the user is through “sniper links” (search google about it). Nevertheless, we delay email verification as much as possible.
Google and Facebook oauth are considered frictionless as the users only have to continue clicking until they are back logged in to your app. Most users are logged-in to their Google or Facebook accounts. The bad experience happens if the users are not.
If most of your users will access your app through their mobile phones, an SMS OTP is a good balance between security + usability. You can use web otp to allow the user not to leave your app. Or at the very least, android and ios keyboards can read the OTPs from SMS and provide as suggestion for inputs. One big challenge is delayed sms. We handled this using a shortened link included in the sms so the users can still use the OTP even if they left the page/app.
1 Like
Thanks very much for this advice. Do you tie SMS OTP and/or sniper links, into Meteor Accounts?
I’m studying the approaches mentioned so far.
If I use accounts-passwordless, and text the link to the user’s cell phone, is that comparable to SMS OTP and/or sniper links?
Yes, using the Accounts api.
Yes. A magic/one time link is helpful for a frictionless first log in. The usability drops on succeeding log ins so depending on your security requirement, the user has to establish an account ideally before ending the first log in session.
1 Like