How the hell do you build a user experience for people who are 100% truly and completely ignorant about computers?
-
@gardiner_bryant I'm just a random kid who managed to get a mastodon account, so feel free not to take this too seriously, but is there a way to make it so your client is able to reset the employee's password?
@unboundcelestial oh man. They totally can. And I've showed the boss and the office manager how to do this for them. They would just rather send me an emial.
-
@gardiner_bryant Have them set up a password manager?
@richarddegenne this guy wouldn't be able to use a password manager. Either he would forget the *one password* for the manager or he would not keep it updated... or he'd only have it on his phone and get totally lost on the office PC.
-
@portaloffreedom I've thought about passkey auth but, unfortunately, the client won't pay me to implement this and... even if I did... there are limitations to this that would prevent it from working. Especially considering the user needs to be logged in on the office PC and on their phone.
@gardiner_bryant another line of thought could be to improve the password reset flow so that you are not needed for it. "Click here if you forgot your password" flow.
Finally using the browser storage for a password hint or the password itself; like a session cookie with no expiration date.
One could also use a technique like JWT tokens in apps, which continuously renew themselves without a need for a password.
-
@gardiner_bryant another line of thought could be to improve the password reset flow so that you are not needed for it. "Click here if you forgot your password" flow.
Finally using the browser storage for a password hint or the password itself; like a session cookie with no expiration date.
One could also use a technique like JWT tokens in apps, which continuously renew themselves without a need for a password.
@portaloffreedom
Thank you for your input!Self-service password resets already exist.
Sessions last over 60 days but he seems to log out all the time.
-
How the hell do you build a user experience for people who are 100% truly and completely ignorant about computers?
I have a client with an employee who *refuses to remember his username and password.* I get emails at least once a month saying "he can no longer access the portal."
"Why not?" I ask.
"Not sure," with a screenshot saying they input the wrong username/password.
So I have to log in, reset their password and send it to them. I've tried forcing them to set their own password...
@gardiner_bryant maybe something like passkey? I don't know the details of how it works but from what I understand assuming he's using the same computer the credential will just be stored there.
In terms of covering your own ass maybe just gathe data about invalid with attempts and try to pitch your customer on having some internal IT training. Also if they're that bad remember you can "fire" customers
-
@portaloffreedom I've thought about passkey auth but, unfortunately, the client won't pay me to implement this and... even if I did... there are limitations to this that would prevent it from working. Especially considering the user needs to be logged in on the office PC and on their phone.
@gardiner_bryant I don't quite see how the login on desktop and phone would pose an issue with passkeys since you can easily use (or even require) a physical one for both (or even use the phone as passkey manager for both) (would also get rid of the username requirement). The not being paid to implement them is a much bigger hurdle imo.
I've got some (though not much) experience implementing them if there are questions
-
...after they log in... but that *also* doesn't work.
It seems like they *will not* remember their password no matter what I do. I'm at a loss and I'm tired of dealing with this.
Any suggestions?
@gardiner_bryant charge them for the service. That will now put the incentive on their boss to not repeat the issue. And if they don't care, well. At least you get paid for your work.
-
@hobbs They log in through their phone *and* through a shared office PC unfortunately.
-
@gardiner_bryant I don't quite see how the login on desktop and phone would pose an issue with passkeys since you can easily use (or even require) a physical one for both (or even use the phone as passkey manager for both) (would also get rid of the username requirement). The not being paid to implement them is a much bigger hurdle imo.
I've got some (though not much) experience implementing them if there are questions
@m_star Sorry. It's a shared office PC. I forgot about the ability to use a phone as a hardware key. I'll look into it.
-
It's probably worth noting I have modest password requirements. Must be at least 8 characters long, alphanumeric with upper and lower case, and at least one special character.
@gardiner_bryant this is the point where you hire a lawyer and adjust your SLA (or set one up if you don’t have one yet) - maybe they just need an incentive to remember their password.
-
...after they log in... but that *also* doesn't work.
It seems like they *will not* remember their password no matter what I do. I'm at a loss and I'm tired of dealing with this.
Any suggestions?
@gardiner_bryant do what other sites do, email a one time login url to the users email adres.
-
@gardiner_bryant do what other sites do, email a one time login url to the users email adres.
@JeroenBaten this is an interesting idea. This might actually work for the guy.
-
@unboundcelestial oh man. They totally can. And I've showed the boss and the office manager how to do this for them. They would just rather send me an emial.
@gardiner_bryant @unboundcelestial Machiavellian, but at work sometimes we have to “make them feel the pain” in situations like these. I’d set up an autoresponder for their domain specifically saying you’re away on-site and wait to get back to them to try to force them to use their admin privileges to reset it. I’d respond but make it take longer to make the option of resetting it themselves more attractive and maybe make it annoying enough for them to correct the employee.
-
@gardiner_bryant @unboundcelestial Machiavellian, but at work sometimes we have to “make them feel the pain” in situations like these. I’d set up an autoresponder for their domain specifically saying you’re away on-site and wait to get back to them to try to force them to use their admin privileges to reset it. I’d respond but make it take longer to make the option of resetting it themselves more attractive and maybe make it annoying enough for them to correct the employee.
@Betterthanlast @unboundcelestial the problem is, they think the issue is with my code. No matter how many times I explain that *this means he's typing in his password wrong*, they still think "any error message that appears on screen means Gardiner's code is f'ed up*.
And the error message is "Wrong username or password. Try again."
-
@portaloffreedom
Thank you for your input!Self-service password resets already exist.
Sessions last over 60 days but he seems to log out all the time.
@gardiner_bryant hopefully that gave enough ideas. But, I do have a couple of other suggestions after giving it more brain power.
No logout solution: the logout button brings you to the login screen but does not invalidate the token, so login is possible again with no password input. This will make you support the person once every 2 months.
Automated support: give him a robocall center to call to reset his password via phone.
And than that got me thinking, if the person is more comfortable with phones rather than computers, why not a login with the phone? Input SMS code to complete the login (I know I know SMS are not the best, but it might be a good compromise here). Or something else like scan a QR code.
In the end the password is just a mechanism to "prove the identity". If you can prove that a connection is from the authorized person with another method that is not memory, or memory of a different kind (pattern memory? Probably too simple for a web exposed endpoint) that will probably work too.
Alas, if you don't have a budget for implementing passkeys I'm afraid these are more thought exercises than practical solutions....
Anyway, cheers
-
How the hell do you build a user experience for people who are 100% truly and completely ignorant about computers?
I have a client with an employee who *refuses to remember his username and password.* I get emails at least once a month saying "he can no longer access the portal."
"Why not?" I ask.
"Not sure," with a screenshot saying they input the wrong username/password.
So I have to log in, reset their password and send it to them. I've tried forcing them to set their own password...
@gardiner_bryant@mastodon.online
Seconding standing up a self service password reset workflow. Also, make it so that there is an admin who can do these password resets so that they are confronted by the fact that this one guy is the only one with this issue.
Finally (and again, others have suggested this), adjust your SLA and product offering so that this is the last time you deal with this. -
How the hell do you build a user experience for people who are 100% truly and completely ignorant about computers?
I have a client with an employee who *refuses to remember his username and password.* I get emails at least once a month saying "he can no longer access the portal."
"Why not?" I ask.
"Not sure," with a screenshot saying they input the wrong username/password.
So I have to log in, reset their password and send it to them. I've tried forcing them to set their own password...
@gardiner_bryant As was stated in a brilliant presentation from one of IBMs Directors from their client division: "Don't try to use IT to solve an HR problem."
-
R relay@relay.infosec.exchange shared this topic
