My mom asked me to help her register with the College of Nurses of Ontario, it was a pretty clean website, and looked like a decent user experience, so I figured why not. Well, after struggling through their website, I decided to whip off a letter to them to expresss my displeasure in the usability of some key areas of their site.
This is that letter.
My mom asked me to help her out registering online, and upon first glance at your site, I figured, “Sure, this should be easy”, what happened next was an experience I’d call less than satisfactory.
First off, your design is very nice, it’s clean and uncluttered, and an obvious attention to detail has been paid in making the site look pretty. Kudos on that. Overall usability is pretty decent, but you stumble during the registration process.
You do a number of security things that baffle me, and then totally FLUB a major security gaffe at the end.
So we’ve got a process that starts off with me entering an activation code, but I don’t know if I’m entering it right…because the field is a password field – or something that I’m typing in off a piece of paper…which was mailed to me via old fashioned snail mail. You can’t seriously be concerned that someone’s looking over my shoulder at what I’m typing in when I’m reading it off a piece of paper can you?
This is silly and unneeded.
The username can’t have a last name in it? Why? That seems silly. Your best bet for user names would be using the registration ID as a primary key, and let them put WHATEVER they want in there. Doggiesox123 or briangarside are both appropriate usernames.
When we get to the security questions screen, I appreciated the last 3 digits of the SIN being password protected (although personally I don’t think you needed that), but my security question, mother’s maiden last name? Did not need to be security protected.
Also, if you’re using this as password reset, this is a bad practice as it’s becoming easier to find maiden names online. I can find many people’s by using a family tree website like Geni, and if I can do it, bad guys can do it too.
The final part is the credit card input. I put in the number (which paradoxically was NOT a password field, so you could see the number I entered…this is good, but doesn’t follow the logic of how you dealt with other pages) and expiry date, and expected to see a screen for the security code, but there was none there. That’s not only a strange experience, but violates the policy of most credit card processors.
This is a decent site, but it has some problems which you can hopefully rectify fairly quickly. If you’d like an official audit of the process at a later date, please don’t hesitate to contact me .
I doubt I’ll hear back from them, but what the heck, it felt like a good opportunity to point out someone else’s flaws since so many folks LOVE doing it to me.