Tag: Passwords

Why UX Matters or How Color (and other) Choices Can Ruin an Identity Experience for Users

I’m not writing this to shame a company, though I do plan to share this post with them in hopes that they can make some adjustments that will benefit customers in the future. As such, I’ll do my best to mask their identity as much as reasonably possible.

Before doing so, I want to back up a second. When I am attempting to convey to someone how critical digital identity is to their product or service, I start with this premise: The experience of managing their digital identity is often their very first interaction with your product or service. If a login is required, it is usually the proverbial front door every time they use your service. Getting that right, consistently, is critical to your success.

Sunday, last week I had an interesting UX lesson in how colors can influence user choices and, in this case, result in a horrible experience trying to manage an identity/account. To be clear, it wasn’t just colors that created the experience, but I’ll illuminate the additional issues below.

Due to an illness, I was trying to access my remote care service that let’s me speak with a doctor for basic first aid/primary care. It is a terrific service for times when I have poison ivy (usually once a year) or an average ear infection (not yearly, but pretty common). It usually saves me a primary care visit and I get a script called into my pharmacy pretty quickly. In some years, I talk to them more than I do my primary care physician. It is usually a huge time and money saver.

To expedite receiving a call, I have a profile setup thru their website. I did this a few years ago. Today, I tried to login, but they had changed their website since I last visited (I think), and this is what I was presented with (pardon the masking, but trying to be helpful, not critical):

Now, bear in mind, this particular case was kind of urgent. So time was of the essence. I quickly looked at the screen and couldn’t quickly remember if I was considered a client or a member. Now, the bright blue color login is for members, but the bright blue section below it correlated to businesses trying to partner with them. That created some confusion so I chose the white login button for the client login portal.

Using my 1Password shortcut, I attempted to login. No luck, bad username or password. My username is a little complex, so I tried a few more times for good measure. No joy. Well, the website had changed, maybe they force a password reset every so often, like after design change and maybe I missed the notice or it was dumped as spam. So I initiate a password reset, and get this screen.

Seems straightforward, so I input my username and email address. The system accepts my parameters and I get a reset link sent to my email address. I click on the link and get this:

That’s odd. Naturally, the security geek immediately starts wondering if I have a man-in-the-middle attack going on, so I attempt it again. Same result. Once more, no luck.

At this point, I just call the 800 number to request a call. After a wait of about 40 minutes (unusual, given my previous experience) I get an attendant and we navigate the process to get a doctor queued to call me.

Now, it may be blindingly obvious to some (clearly, not me) that I may have gone to the wrong portal. I never thought to go back and attempt to use the member portal instead. At the time, I didn’t even think there were two portals. After talking with the service operator, she initiated a manual password reset for me and naturally told me to go to THIS page:

A ha! I’m masking this page some, but the rest of the screen makes it quite clear this was enabled for customers of the service. Naturally, armed with my new password I was able to login and update my password and security question. So I was off on the wrong branch of the site flow the whole time. A single, understandable, but ultimately incorrect choice resulted in almost an hour of wasted time. Besides the lessons learned for yours truly, I think there are a few for the vendor.

First, proper error handling is one of the first key tests for an effective user experience. If I’m using a valid member portal user ID on the client portal, maybe test the ID against the member portal and offer to redirect? That would have avoided this entirely.

Second, while I don’t know that their identity stores are unified or linked, I was able to initiate a reset of my member user ID’s password from the client portal. That’s bad. Had that failed, I might have at least suspected my ID was messed up and gone a different route. Again, checking that ID against the member portal may have saved a step here. Either way, accepting the member portal ID as valid and sending me a reset link to the client portal that kicked back with an expired token reinforced the idea that I was in the right place but something was broken. This ultimately ties into lesson one regarding error handling.

Next, reconsider the color choices on the main page. Perhaps align both the member login color with the member solicitation screen? And perhaps align the client login with the client solicitation color. Consistent coloring can reinforce users choices when they are unsure.

Also, maybe reconsider the ‘client’ term vs. member? I realize the website eventually clarifies, but maybe consider the term ‘partner’? Member vs. Partner is a pretty clear distinction. I don’t think this is critical, but it could be useful. I know patient isn’t in vogue these days, but the patient portal likely would have landed me in the right spot.

Finally, some language on each portal page to assist the user if they selected the wrong portal might be beneficial. The client portal in particular is fairly sparse. They do a good job with the member portal (if I had actually clicked on it).

Now, in full disclosure, I now also have their mobile app installed, which has a significantly better user experience. If I were to guess, it is designed for members only. Therefore, the confusion I had with the dueling web portals couldn’t happen. It also has TouchID/FaceID integration so that’s even better. Aligning the UX of mobile with the web site would be a nice next step to get an even greater consistency for the customer. They should also market their mobile app on the web page.

So, in reality, 2-3 hopefully minor changes could improve this vendor’s client UX considerably. I was fortunate, and persistent, so this ended well. But, what if the user was put off by the wait time and the password reset problem and went to the ER or Urgent Care (this happened on a Sunday) instead? That was a huge difference in cost and opportunity cost for whomever was behind me in line.

While this dealt with a more serious type of service experience, businesses undergoing digital transformations should consider hiring people that can look at these flows (better than I do, as I am not a UX expert) and give them proper guidance. Even if your service is selling t-shirts or fidget spinners, helping your users navigate your service easily from an identity context can be the difference between a sale or a closed browser. Or better, you’ve created a repeat customer.

Nymi Band – Loads of Potential

When this video first launched, the identity geek in me had a nerdgasm. The idea of continuous, contextual, biometric authentication in a low profile wearable has undeniable appeal. in a world in which users routinely have to navigate countless sets of credentials as part of their daily lives, could this really be ‘one band to rule them all’? Ok, after the eyeroll for the pun, the potential is extreme for this device to be a game changer.

Realizing the potential is always the struggle, and Nymi has experienced that like most startups. They’ve pivoted from consumer to enterprise use cases recently, and I think that will serve them well.

Anyway, the emphasis of this post is on my experience with the developer version of the band to date.  Thus far, it has been positive, but not without some bumps. Being that the band still isn’t RTM for public consumption, that’s almost expected.

Unboxing

I didn’t take photos or do a silly youtube of this, but Nymi clearly took notes from Apple on the unboxing experience and meticulous design. You can see the package near the end of the video above. The package was elegant and very well presented. I think that experience is a little underrated when we’re talking new technology. They did a very nice job here, even for a dev kit experience.

The Windows Experience

I hate to start with the bad, but this is how it was experienced when I first received the band late last year. Part of the dev kit comes with a usb bluetooth adapter. This is understandable, because not all devices support Bluetooth 4/BLE, windows especially. So now the band and related software is at the mercy of the Windows API’s.

The first test was on my corp laptop, a Lenovo T400 Thinkpad running Windows 7. The software installation required a separate install for the bluetooth hardware, but that’s expected. The companion software (required to enroll/identify you, bio-metrically) installed successfully and I was able to enroll my band pretty easily. The key here is to just ‘be still’ and let it read your ECG for about 90 seconds. I did get a few false rejections initially, but the software easily allows you to ‘condition’ your profile by doing more reads. Eventually, the FRR (false rejection rate) diminished considerably. This did raise a question: will consumers be this patient?

The 2nd piece is the unlock software. In effect, this is what you install to get the OS to recognize the device as a means of authentication. The windows implementation (compared to OS X, more on that in a moment) is a little clumsier, because the ‘login’ is presented as a secondary user from your primary login. I don’t really blame Nymi for this, because I believe some of this is a limitation of Windows Authentication API unless you implement this as part of the GINA (Graphical Identification and Authentication library). Especially for enterprise use cases, this might raise a CIO’s blood pressure (pardon the pun). If your PC stays persistently on, the unlock works pretty consistently (64-bit windows only, for now).

The challenge comes in for windows systems coming out of sleep. Sleep is always Windows nemesis, at least for my experience. And when you’re relying on a bluetooth service and adapter to authenticate you to come out of sleep mode well, it doesn’t always behave. The experience here thus far has been pretty inconsistent. My devices sleep unless they are in use, so this is a hurdle. In my conversations with Nymi support staff, they are aware of the issue and are actively working to tune that process. With Windows being the dominant desktop platform, I have little doubt they will smooth those issues out.

Still, waking up and unlocking my windows PC and Macbook without typing in a password is a pretty nice experience. Here’s my process:

  1. Fasten NymiBand
  2. Open iPhone 6 with TouchId
  3. Open Nymi Companion on iPhone
  4. Activate band (already enrolled) either via HeartID or TouchId (more on this in a moment)
  5. Login to MacBook by raising lid and pressing enter (<10 seconds)
  6. Login to Windows PC by bringing out of sleep (keyboard) and select Nymi user profile (30-60 secs)

Pretty cool, huh?

iOS Companion

Previously, I had to use a PC to activate my band. That won’t be the average user’s experience. So adding the iOS companion was a huge leap forward. The iOS companion works flawlessly and really was the first user experience that, in my opinion, showed Nymi starting to realize their vision for the ideal user experience. Registration & enrollment were flawless. I could either register my heart rhythm for the enrollment or allow the band to be a proxy for TouchId, yet another well executed biometric implementation. I’ve played with both, but currently use TouchId for activation in the morning.

OS X Experience

This started out rocky due to some installation issues, but eventually both the companion (pre iOS) and the unlock installed well. Now the experience goes up a level. Not only does unlock work seamlessly coming out of sleep, the re-lock feature (if enabled) can detect when your band is out of proximity of your MacBook and automatically lock your device. I found this to be a really nice feature at work. This was another case where the developers really began to show up how the vision could be realized.

Wearable Aesthetics

In this area, I struggle a bit. When I first received the band, I already wore a Fitbit Surge on my non-dominant wrist. Two bands on one wrist is a little too goth for my liking, so I went with my dominant wrist. That was ok, but definitely took some getting used to with respect to keyboards. Now I own an Apple Watch and the dynamic is the same.  I have to wonder, however, if this aspect of wearables will be a barrier to adoption for some. I honestly don’t know the answer to this.

Summary & Leftover Questions

Overall, I’d call the beta experience a success, especially once the iOS companion was released. its easy to see some of the promise in this technology helping reduce our reliance on something as insecure and unreliable as passwords.

Extending this beyond the desktop, and realizing some of the novel use cases in the video are where questions emerge. Could I pair my NymiBand with my 2015 Prius to unlock it? I have a feeling this will be easy given the advances Toyota has already implemented in keyless entry. My 2007 Tundra…not so much but I’m being unfair on that one.

The key challenge I see for the band will be enrollment on the target system, especially for those looking for configuration vs. security experiences. For me, given that I own the PC, MacBook, iPhone, and the Prius, enrollment is easy. What about public systems like the hotel, payment systems, retail chains, airport security, etc? Also, where does privacy play? The upside of the NymiBand is that you could theoretically ‘disappear’ by disconnecting the band. This is unlike Tom Cruise’s character when he walks into the next generation Gap with someone else’s eyes in Minority Report. These are open questions and not meant to infer an indictment of the technology or their approach. There is a ton of potential here, and I look forward to seeing how Nymi’s delivery and, perhaps more importantly, their partnerships help realize the vision of this platform as a next generation in digital identity.