How to manage member access to member-only areas of an association’s web site is a common question posted to the ASAE Technology listserv. Since I’ve answered it a few times I thought I would go ahead and post my stock reply here to save some typing in the future. 🙂
Many associations, when they first create a member-only area of their web site, have used a member’s ID number and last name to control access. However, that same information is usually listed on mailing labels and membership cards. This method is very easy to set up, administer and communicate to members. However, having that info on mailing labels is definitely a security risk. The size of the risk really depends upon what they can do with the account once they login. If it’s just to view content (usually the case for early efforts), the risk is relatively low. If it can include e-commerce transactions or editing the members’ data in your association management system (what most associations want to add or expand upon now), then the risk is pretty high. Either way, I think it is smart to move to something more secure.
When I came to ASHA in 2000 we were using the same account number/last name scheme for access and that info was and is on every mailing label and membership card. We then implemented a username/password system that allowed the user to create their own login name and password. Over time, we found many members had problems remembering the login name they had created for themselves. A few years later we migrated to using their e-mail address as their login name which has dramatically reduced support calls for lost user names (many of our members call us instead of using the account help tools on the site). Based on our own experience, I would recommend going with e-mail as the login name. That seems to be the emerging standard around the web for many major sites out there (Amazon being the most notable).
Some gotchas to look out for when using e-mail as the username:
- Each member must provide a unique e-mail address. Sometimes this is an issue when a spouse shares the same account and is also a member.
- You should provide instructions on free services that members without an e-mail address can use to get one (there are still some people without e-mail addresses!). This is also useful in the spouse shared address situation.
- Clearly state how the address will be used by the association when the members supplies it to ease privacy/spam concerns on the part of the member
- Consider your response to members who refuse to supply you with an e-mail address but want access to the member-only content and services (I have encountered this a few times).
- Members should be able to change their e-mail address at any time without having to re-register with the site. In technical terms, test for e-mail uniqueness but don’t use it as the primary key for the record.
Finally, you will need to associate the login with their account number in some way. You might ask for their member ID number at the time they register or associate the login with their account later through some other process. I strongly suggest automating the process as much as possible while still preventing the same ID number from being associated with more than one login.
Hopefully the above info will help you get a jump start on the design (or redesign) of your web site login system.