How the hell do you build a user experience for people who are 100% truly and completely ignorant about computers?
-
@hobbs They log in through their phone *and* through a shared office PC unfortunately.
-
@gardiner_bryant I don't quite see how the login on desktop and phone would pose an issue with passkeys since you can easily use (or even require) a physical one for both (or even use the phone as passkey manager for both) (would also get rid of the username requirement). The not being paid to implement them is a much bigger hurdle imo.
I've got some (though not much) experience implementing them if there are questions
@m_star Sorry. It's a shared office PC. I forgot about the ability to use a phone as a hardware key. I'll look into it.
-
It's probably worth noting I have modest password requirements. Must be at least 8 characters long, alphanumeric with upper and lower case, and at least one special character.
@gardiner_bryant this is the point where you hire a lawyer and adjust your SLA (or set one up if you don’t have one yet) - maybe they just need an incentive to remember their password.
-
...after they log in... but that *also* doesn't work.
It seems like they *will not* remember their password no matter what I do. I'm at a loss and I'm tired of dealing with this.
Any suggestions?
@gardiner_bryant do what other sites do, email a one time login url to the users email adres.
-
@gardiner_bryant do what other sites do, email a one time login url to the users email adres.
@JeroenBaten this is an interesting idea. This might actually work for the guy.
-
@unboundcelestial oh man. They totally can. And I've showed the boss and the office manager how to do this for them. They would just rather send me an emial.
@gardiner_bryant @unboundcelestial Machiavellian, but at work sometimes we have to “make them feel the pain” in situations like these. I’d set up an autoresponder for their domain specifically saying you’re away on-site and wait to get back to them to try to force them to use their admin privileges to reset it. I’d respond but make it take longer to make the option of resetting it themselves more attractive and maybe make it annoying enough for them to correct the employee.
-
@gardiner_bryant @unboundcelestial Machiavellian, but at work sometimes we have to “make them feel the pain” in situations like these. I’d set up an autoresponder for their domain specifically saying you’re away on-site and wait to get back to them to try to force them to use their admin privileges to reset it. I’d respond but make it take longer to make the option of resetting it themselves more attractive and maybe make it annoying enough for them to correct the employee.
@Betterthanlast @unboundcelestial the problem is, they think the issue is with my code. No matter how many times I explain that *this means he's typing in his password wrong*, they still think "any error message that appears on screen means Gardiner's code is f'ed up*.
And the error message is "Wrong username or password. Try again."
-
@portaloffreedom
Thank you for your input!Self-service password resets already exist.
Sessions last over 60 days but he seems to log out all the time.
@gardiner_bryant hopefully that gave enough ideas. But, I do have a couple of other suggestions after giving it more brain power.
No logout solution: the logout button brings you to the login screen but does not invalidate the token, so login is possible again with no password input. This will make you support the person once every 2 months.
Automated support: give him a robocall center to call to reset his password via phone.
And than that got me thinking, if the person is more comfortable with phones rather than computers, why not a login with the phone? Input SMS code to complete the login (I know I know SMS are not the best, but it might be a good compromise here). Or something else like scan a QR code.
In the end the password is just a mechanism to "prove the identity". If you can prove that a connection is from the authorized person with another method that is not memory, or memory of a different kind (pattern memory? Probably too simple for a web exposed endpoint) that will probably work too.
Alas, if you don't have a budget for implementing passkeys I'm afraid these are more thought exercises than practical solutions....
Anyway, cheers
-
How the hell do you build a user experience for people who are 100% truly and completely ignorant about computers?
I have a client with an employee who *refuses to remember his username and password.* I get emails at least once a month saying "he can no longer access the portal."
"Why not?" I ask.
"Not sure," with a screenshot saying they input the wrong username/password.
So I have to log in, reset their password and send it to them. I've tried forcing them to set their own password...
@gardiner_bryant@mastodon.online
Seconding standing up a self service password reset workflow. Also, make it so that there is an admin who can do these password resets so that they are confronted by the fact that this one guy is the only one with this issue.
Finally (and again, others have suggested this), adjust your SLA and product offering so that this is the last time you deal with this. -
How the hell do you build a user experience for people who are 100% truly and completely ignorant about computers?
I have a client with an employee who *refuses to remember his username and password.* I get emails at least once a month saying "he can no longer access the portal."
"Why not?" I ask.
"Not sure," with a screenshot saying they input the wrong username/password.
So I have to log in, reset their password and send it to them. I've tried forcing them to set their own password...
@gardiner_bryant As was stated in a brilliant presentation from one of IBMs Directors from their client division: "Don't try to use IT to solve an HR problem."
-
R relay@relay.infosec.exchange shared this topic
