A topic of frequent interest and debate among Higher Logic clients is the auto-login feature. Auto-login embeds a user’s credentials into community discussion group emails, enabling users to click on links in emails generated by the community platform to engage in the community site without having to manually login.
Many community managers think it’s a great idea, especially when they’re looking at migrating a community that has “lived” on and communicated via a listserv for years, and they’re worried about the barrier of requiring users to visit a website to participate in the community. However, the issue isn’t totally black and white; there are definitely some risks involved with auto-login. If you’re debating about whether or not to enable auto-login for your online community, here are some pros and cons to think about.
- Auto-login lowers the barrier to participation. Especially in the association space, the concept of an online community is nothing new; it’s just the format that’s new. Listservs have been one of the most popular benefits for many associations for years, because of the ease of use and low barrier to entry, since members are able to interact with each other via email. Especially when a community is migrating from a listserv to an online community software platform, auto-login can greatly ease the transition from old to new. It can really help mitigate users’ reluctance to log in to the site every time they visit, and we’ve seen community sites falter, if not fail, because the org didn’t enable auto-login.
- Auto-login is not SSO configured. One limitation of auto-login is that is does not drop a cookie, and is not single sign-on (SSO) configured. For example, if you click on the auto-login link to participate in your community site, and then navigate to your main organization site, you will not be logged in. Likewise, if you click on the Auto-login link to go to the community, close your browser session, then re-navigate to your community site, you will be prompted to log in again. This may be confusing to some members.
- Forward messages with caution. When you enable auto-login, if a user forwards a community email to someone else using their email service provider’s “Forward” feature, the original recipient’s user credentials are embedded in the forwarded email. This would allow the recipient to click on a link in the email and be logged in as the sender. At least at Higher Logic--and probably the same is true of most online community platform vendors--we do not store credit card or any other highly-sensitive information, so the largest “risk” is that the recipient will post a message and it will appear to have been generated by the original sender. You can set some limits to reduce the chances of this happening, such as setting a time frame for how long the auto-login credential will work; for instance, if you set it for five days, after that time, the recipient would have to log in. You can also set your email template to include a warning message, reminding users not to forward their community emails.
The deciding factor? The way the Higher Logic platform works, if we have enabled SSO with your main site login, and that login has a “Remember Me” feature with a persistent cookie that lives for at least 30 days, then we advise orgs to encourage members to use that feature instead of auto-login. It does not have the security and login limitations of the auto-login feature. However, if you do NOT have SSO enabled or a “Remember Me” feature, I think the benefits of auto-login outweigh the small risks. Also, remember that you can always switch on the "reply via email" feature which gives the user the option of completely bypassing the web.
Weigh in--do you think the benefits of auto-login outweighs the risks?