Curious to see if others have their own suggestions. We've noticed that if we not pretty vigilant about it, the creep factor sets in and suddenly there are lots of weird things happening around micro-features.
Since most of these seem to be about user accounts, I'll add: Don't require a user to have an account unless it's actually necessary for the feature.
Also, although I understand many folks have philosophical problems with this, you should support one-click log in with at least one of Facebook, Google, or Twitter. I almost certainly do not want to make a password for your site.
On a related, but opposite note, don't make one-click log-ins the only option. I almost assuredly don't want to add another point of access to my Facebook/Twitter/Google data, and would rather manage my Lastpass account than monitor my app permissions across several services.
A bizarre one that affects Microsoft DreamSpark, (and probably others) is that they silently escape characters in your password. Apparently they do this using two different methods depending on whether you're logging in or changing your password, so if it gets escaped one way, it might not be escaped the other way, and then you can't log in.
Consequently I don't think you can include brackets in your password if you want it to work. The front-end apparently isn't aware of this limitation, so they'll happily let you do it.
If only all companies were this considerate of their users!
The first item on this list, auto-login links in email, is something I wrote about in the summer of 2011 and when I submitted it to HN it hit the top item in minutes. This is a definite user pain point!
https://eeqj.com/20110614/please-dont-do-this/
I was on the phone with United the other day and stuck in their IVR. I said "agent", and it said to me:
"I think you want to speak with an agent. If you answer just a few more questions, I'll be able to help you. Let's try again..." and repeated the same menu prompts. Saying "agent" a second time actually gives an agent.
Don't get me wrong, I get the expense of processing users with live agents versus an IVR, and I understand their volume. Adding a second confirmation probably saves them a zillion dollars annually.
It also makes them dicks. It confirms that it knows what I want, and then does the opposite. Few things are more disrespectful.
Huge props to Zapier for identifying ways of doing the opposite - showing your users that you appreciate and care for them and their finite time and attention.
I think the 'agent' trick comes from an adversarial relationship between the caller and the IVR. Properly implemented (this is rare), an IVR should help to collect structured data and save time on the call. If all the users know how to circumvent the IVR, because they think it's a waste of time, you start getting counter-measures to force the user through the expected workflow. Even if it was a well-done IVR, you probably hate IVRs so much that you never want to use one.
It's sort of like if you walked in a McDonalds and started yelling 'Big Mac'. You would eventually get a hamburger, but there's a system in place to get your product to you in a way that is theoretically a good balance between you and the business. If the system is working properly, queuing and ordering will be faster than screaming until you get what you want.
That would also be a good thing to yell while standing in a McDonalds, although I suspect it would take longer to get service...
I think IVRs are an awesome idea to reduce the number of minimum wage employees crammed into cubicles, answering phones endlessly. The thing is, they were really implemented before their time, and now all the research seems to be into making people not hate them, when it should be about making the decision trees clear and simple.
Ah yes, this is exactly the annoying thing we want to avoid. I've reflected on my behavior in these instances and I often bounce instead of login, especially on mobile.
