Website Forms Usability: Top 10 Recommendations. The number one suggestion is:
“Keep it short. … Eliminating unnecessary fields requires more time [to decide what data is worth asking for], but the reduced user effort and increased completion rates make it worthwhile. Remove fields which collect information that can be (a) derived in some other way, (b) collected more conveniently at a later date, or (c) simply omitted.”
Carefully consider the information you are asking for. The fewer fields the better. While admittedly in a different context, Imagescape more than doubled a contact form conversion rate by decreasing the number of fields from 11 to 4. There may be data needed only for certain features of your application; ask for it when that feature is first accessed, rather than at signup.
Make sure your form is mobile friendly; test at various screen sizes. The tediousness of data entry on a mobile device and the prevalence of their usage are another reason to have as few signup form fields as possible.
If a form field is optional, clearly mark it so. Even better, don’t ask for optional data on the initial user registration. Request that information later, when the user is more engaged and has discovered the value of your offering.
Provide clear error messages when data fails to validate. Use both client side validation, which is faster, and server side validation, which is tamper proof. On the topic of tampering, ensure any form is submitted over TLS. You want to keep submitted information confidential and secure.
Make use of the full suite of HTML elements. Dropdowns and radio buttons are powerful, but number and email input fields leverage browsers’ built-in validation and should be used as well. If you aren’t sure what’s supported, use tools like Caniuse to verify compatibility.
But registration forms aren’t just another form. They are the gateway to your full application or site.
What causes angst when a user is signing up? This 2012 paper (PDF) examined registration for government services. It defined sign up friction as “the imbalance between the business process (user goals) and [required] security behaviour” around signing up. This study found friction was best explained by the following attributes of a signup process:
Obviously you can’t control the last aspect, but minimize the number of new credentials, delays and interruptions in your registration process.
Most registration forms ask for a username and password. Make it clear what are valid values. If a username is an email address, allow all valid email addresses, including aliases.
Avoid complicated password validation rules. Allow users to use a password manager. NIST recommends a focus on avoiding passwords known to be insecure.
“[A]nalyses of breached password databases reveal that the benefit of [password complexity] rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.” - Appendix A—Strength of Memorized Secrets, NIST Special Publication 800-63B
Obtain proper user consent. What this is depends on your plans for the requested information and what regulatory regime applies. Different levels of informed consent may be required. For example, if you are in the USA and are dealing with a child’s personal information, you’ll want to make sure you get parental consent because of COPPA.
Ensure new users enter sensitive data correctly. If there are any critical fields, such as a government Id, provide a confirmation field asking for the data to be re-entered to ensure the data is typed correctly. This is an exception to the rule of asking for less data. If the stakes of incorrect data entry are high, the additional work is worth the inconvenience.
If you need more than a few pieces of information on registration, consider splitting the sign up form into steps and using a registration stepper, also known as a multi-step form or a wizard. A stepper is a user interface element which shows how many steps are required to complete an action:
“Steppers display progress through a sequence by breaking it up into multiple logical and numbered steps.” - Google’s material design reference”.
Splitting up a registration form allows you to ask for more data, but avoid imposing a high initial cognitive cost on a potential user. It also allows you to track registration progress. Rather than a registration being an all or nothing proposition, you can see where people fall out of the registration funnel: is it because of step two or step three? It also may increase the conversion rate: Instapage saw an 18% increase in conversion rate when they split their registration form into multiple steps.
When creating the pages, group fields logically, as per the Nielsen Norman Group recommendations which suggest grouping “related labels and fields.” Separate pages allow you to provide a contextual explanation of how providing the data will be useful to the visitor at each step. If you can’t come up with a reasonable one, consider removing the fields.
Ask for as little as possible on the first registration step. Once they take that first step, they’ll be more committed to finishing, thanks to our love of consistency.
Ensure you are clear about the number of steps the registration process will take. Doing so lets the user assess the effort involved.
Splitting a form up into multiple steps requires maintaining state across submissions. If you are using a framework, investigate helper libraries, such as wicked for Ruby on Rails or lavavel-wizard for Laravel.
If you are rolling your own solution, you can maintain state in hidden form parameters or in the user’s session. Either way, you’ll want to serialize entered and validated data and store it. Then, when the form is ready to submit, you can deserialize this value and process the entire form, typically saving it to a datastore.
Another option is to save registration data in the datastore and progressively add to the user’s profile as they work through the steps. This approach has downsides, however. Either any required fields must be submitted on the first step, limiting flexibility, or you’ll have to have a staging registration table, where partial registrations are stored until completed.
Typically an application collects sensitive information in a registration form. Passwords are the canonical example, but other types of data may need to be treated carefully, such as a social security number or other government identifier.
When collecting sensitive data, keep it secure throughout the multi-page process. You have a couple of options:
localStorage
.Each of these options has tradeoffs. If you wait to ask for any sensitive information until the last step, you are limiting the flexibility of your form design. If more than one piece of sensitive data is needed, you’re forced to put all of them on the last page.
Keeping the value in the session means increasing the size of your user sessions. You will also be forced to use sticky sessions, hindering the scalability of your application.
Storing the data in localStorage
is risky, due to malicious code running in the browser. If you encrypt it, make sure the encryption happens on the server, otherwise the same code may be able to decrypt the data.
Encrypting the data and storing it in a hidden form field means additional processing. If you choose this, use a symmetric key stored only on the server side. Since you’ll be decrypting the form field in the security of your server environment, the browser shouldn’t need to read the data after the step on which it is submitted.