The frailty of usernames
When “Hela — The Destroyer” complicates your registration process!
Let me preface this article by making it clear that, of all the problems you’ll face when creating a new product, this is of the lowest business priority; but a fairly high customer priority. Should you choose to proceed, remember that a stitch in time saves nine! 😉
What’s in a username?
Usernames are pretty much standard in all online products — whether you’re medicantbias117 on Instagram or cuteprincess16 on TikTok, we’ve now been accustomed to setting up usernames in any registration flows. But have you really thought, what goes on behind the scenes?
Let’s take an example of a possible feature on noon.com — reviews and ratings. In a fairly simple process, you’ll be asked to review your purchases and those will appear on the website — something like:
And it’s a fairly simple flow for the Noon product team to implement — Launch the feature, invite customers to write their reviews and viola! a fully functional, feature-rich review system with deep data insights into their customers, ready for incremental improvements churned out almost daily by the team.
But wait… what’s the problem?
Let’s assume there is a popular reviewer on Noon.com named ‘Shameela Sheikh”. She reviews everything tech-related and her review is considered golden, so much so that people actually read her reviews before hitting the description box. Now, place yourself in the shoes of a dubious marketing exec of tech company (say ‘Mango’) that wants to increase its sales for a range of personal computing devices. The Mango marketing exec, with a few tools at his disposal, can start creating accounts like “Shamila Sheikh” or “Shamila Sheik” that are programmed to leave a positive feedback for their products and vote to promote each others reviews. It’s fairly simple and requires a few non-monitored apis.
Psshhh! you’ll say — that’s too far fetched and an edge case! People are not stupid! I say, Exhibit A:
Of course, the impact of this scam was reduced, compared to the damage it could have done — thanks to the verified account statuses that Twitter provides. It is easy to overestimate the smartness of your users, the little few that take things for face value on the internet soon grow into a majority through the social validation effect.
There is no protection against human stupidity. For every technological/user experience marvel you produce, there will be one human who’ll exploit it and one human who’ll get exploited by it. Nothing is safe!
What can you do?
So what does the erstwhile product manager do? You can do a few things-
1. Verified statuses for each popular reviewer. Badges help.
2. Throttle your reviews and votes by individual/account.
3. Constantly monitor reviews for similar content (products with low rating getting a high hit of positive reviews? Something is fishy there!)
4. Random sampling of reviews/users to ensure they’re legit.
5. Provide means to verify authority — you have to experience it to review it. So put some restrictions on who can review and the value of each review.
Can emails replace Usernames?
Depends. If the emails are never publicly displayed, there is no need for a username. You can also offer to strip off the @tld.com part to make it easier for the customer. Reliability wise, you are better off ensuring the following:
- Usernames are not Case sensitive
- If the usernames have commercial impact (by virtue of their opinions), skip Usernames and replace with Names (First Name + Last Name). Provide anonymous option too.
- Do a l337 search to ensure popular names are not being hijacked via l337 replace. (See here for l337)
Thank you for reading! Hope you enjoyed!