Posts by Debbie

2FA. Everybody says use it. Lots of sites will set it up so that if someone tries to log in or do “forgot password” you get a text or some other secondary way to confirm it’s really you.

Someone I know left her husband. He was not being so nice. He was somehow logging into her Facebook, she wasn’t sure how. And doing some uncool things while logged into Facebook as her. So I worked with her on telling Facebook to clear all other logins, take his phone number out, put her new one in (she had to change her number because of him), change her password, use 2FA to text her, etc…

We did the same with Google for her Gmail and Google login. Cleared previous logins, set up 2FA, change password. I was pretty confident we had gotten rid of him.

She texted me the next morning. He was back in everything and had changed the passwords to Facebook and her Google/Gmail so she couldn’t get in. 2FA hadn’t happened for either account. Neither texted her to say someone was trying to log in or change the passwords. Both Facebook and Google let him change her passwords.

How did this happen?

She realised that he had her previous phone, which had been logged in to these apps and systems. You might say OK, that’s obvious. The phone was logged in. He goes into the phone, he gets into her apps and email. But that phone isn’t activated anymore so it wouldn’t use her phone number, especially the phone number she changed days ago because of leaving him. That phone is 2+ years old.

BUT we set up 2FA. 2FA is specifically designed for situations like these. You’ve gone in, changed your password, and cleared logins… should someone with your (old, deactivated) phone be able to get into everything without doing the 2FA?

I spent the next day depressed laying in bad, angry at 2FA and some pretty shitty UX. Sorry to swear but I was mad. How many frightened people is 2FA not helping? How many of those people continue to be hacked, harassed, hurt because these systems aren’t working?

I can’t say hey Facebook stinks, look at what happened, because it happened with her Gmail/Google also. It makes me think something about the way companies are implementing 2FA is heavily flawed. If I change my password, log out of all accounts, etc… 2FA should protect me. And it freaking doesn’t, does it.

What if someone had my current phone?

Here’s a use case for you. You somehow have my current phone and you somehow know how to unlock it. I have no unlock code or it’s obvious or you know me and you guessed it or your my ex and you saw me type it in 4000 times. You have my phone. Let’s say someone who shouldn’t have my phone has it.

How does 2FA help when my CURRENT phone is in the wrong hands? If you text me a code, the jerk with my phone now has that text! He or she has the code! Email me a code, well my phone picks up email.

Desktop vs Mobile

Last week, Facebook decided someone might be trying to log into my account (because I rebooted my router and my IP address showed up as a different neighbourhood around here). It logs me out of desktop Facebook but interestingly I was still logged into the mobile app.

In fact, it wanted me to go into the mobile app to get a 2FA code for desktop. Well sure, my phone is still logged in to the app, here’s your code. And if that phone were in the wrong hands… there’s the code!

In reality, if you are going to log me out of desktop Facebook because you think I’m being hacked or compromised, then you log me out of mobile web Facebook and you log me out of mobile app Facebook. Period. Otherwise, you have not saved or helped me AND you may have made it really easy for the wrong person to breeze through the two-step authentication.

What is the only thing that would have worked in this case?

I think the only thing that would have worked would have been to remote wipe her old phone, the one the ex somehow got. In reality, he didn’t know her passwords. But since he had a phone that was logged into these apps, the apps gave him the power to change settings, undo 2FA, change the password, etc… If we had remote wiped the phone, he would have been locked out from harassing her by logging into stuff as her.

Moral of this story: 2FA isn’t what you think it is. And the best safeguard for when your phone is compromised is to enable remote wipe. Even an old phone that you think won’t get someone very far because you’ve changed passwords and set up security safeguards.

Google how to do that for your particular phone. Set that up. You might need it someday if the phone falls into the wrong hands.

Share This Page
Read More

I’ve had a lot of feedback the past couple of years of training. Mostly it’s that people want a more advanced class. And they want it from a teacher who really understands where students are starting and how to get them, step by step, to really learn the skills. Oh that’s me!

I proudly announce that Ptype now has an Advanced Axure Prototyping Workshop. As of writing this, it’s not yet available as a video course. That will hopefully be available by the end of 2017. For starters, you can attend our 2-day live, remote workshop. It’s webinar-style and taught by me. Join from anywhere. More info here.

As the curriculum says, topics will include:

  • Listeners (automatically running processes)
  • Math functions including formatting and rounding numbers
  • Form validation and error messages
  • Really getting into variables
  • Repeaters. I don’t believe repeaters are a “beginner” topic so they are not part of our Core Skills workshop.

To make sure people get personal attention, each workshop is limited to 15 people. Want a spot, sign up now! Registration is open and the early bird pricing is in effect through 2 October 2017. Our reg system will also automatically calculate group discounts for teams of 2 or more registering together as well as a “bundle” discount if you register for all three workshops together.

See you there!

Share This Page
Read More

I go on road trips from time to time. There is a 100% chance that my PayPal debit Mastercard will be shut off, even if I call them first and say I’m road tripping. Evidently buying gas over and over triggers their fraud system.

When PayPal’s card fraud system is triggered, my card is shut off. I’m not emailed, I might be called tomorrow to please let them know if this is fraud or not. But nothing I can do in the moment other than stop the motorcycle road trip to call them, which is not worth my time.

So I pull out my Discover card, the other card I keep in the pocket of my moto jacket. I’ll run that until they suspect fraud. But when they do, I get a text asking if I am making these gas purchases. I text back YES and they reply that they will keep my card on.

Thank you. YOU get the gas business.

American Express has started doing something like that when it suspects my purchases. I get an email (which I may not look at while on a moto road trip) asking if tried to make a certain purchase or not. I then have to tap a “yes” or “no,” which loads up a webpage. That’s fun when I’m in a bad service area. My Amex is skimmed 2 or 3 times a year so they are getting more careful with my card. I’m getting mountains of notifications now.

I think the text messaging is a great way to go. Immediate, something I might look at even when not looking at email, text back a quick reply, you might even get the SMS where your data connection is weak or non existent.

Consider your users and multiple use cases. How do we quickly confirm if this is fraud or not, keep a card on when the customer would want it on, shut it off if it’s really stolen or skimmed, and let our customer keep going?

Share This Page
Read More

I learned a weird lesson recently. Learn from my mistake!

I have been travelling a lot more lately (hence a quiet blog in 2017) so I wanted to get a dual SIM phone. Drop my American SIM in, drop in a European SIM, everybody can call me on one phone. To be cheap, I chose a 2017 Samsung Galaxy J7 Pro because I’m an Android fangirl. A used, completely unlocked one on Amazon was about $320. Not bad.

The listing advertised “USA and Latin American LTE.” OK this should work. And completely unlocked.

Things went badly when the phone started prompting me to set up Samsung Pay. Yes, I will happily set that up! I love it! Every time I went to set it up, it said the network couldn’t be reached and to try again later.

After days of that, I contacted Samsung Support via Facebook chat. Why isn’t this working? Long story short, it’s not working because of the “origin” of the phone. My used phone was originally sold in some other country. What country? I have no idea. Doesn’t matter to me. I can set up Android in USA English and I’m good, right?

Not so fast. Samsung made the odd decision that this phone cannot activate Samsung Pay because of where it was first sold, wherever that was.

But I’m in the USA and using it here.

Which makes more sense? Telling people they can’t use Samsung Pay on that phone ever OR letting people use it when they are in countries that accept it and blocking it when they are in countries that do not accept it? You know what country I’m in by GPS, towers, and what network I’m on.

I assume that if this can be done with Samsung Pay, it can be done with other apps or software. That made me return the phone. In the future, I won’t buy a used phone unless I’m cool with whatever the country of origin is. Evidently this can matter!

Share This Page
Read More

A press release went out recently saying that the UNO card game is finally available in a colour blind friendly way. How did they address this? They used a language of symbols in place of colours. Let’s take a look.

This immediately strikes me as a tough user experience.

I can see the logic someone went for. Triangle is red. Slash is yellow. Triangle plus slash is orange. But it falls apart when you have to remember which way a triangle is facing to know which colour this is.

With these soft, rounded rectangles, can you tell which way it’s pointing at a distance? Make this small enough or far away enough and it probably looks like an amorphous blob.

Remember this is a game where someone gets to change the colour at some point. They might yell out RED. You will have to consult the legend OR remember which-direction-facing triangle that is.

Based on this legend, there are LOTS of colours you might need to know about. Triangles, slashes, squares grouped in various ways. I often warn that if you go just past critical mass with icons, you are now in hieroglyphics. You have a language people need to remember.

This isn’t totally UNO’s fault.

They are using ColorAdd’s Color Alphabet. Someone else designed this to solve the problem of visually communicating colours to the colour blind. I am not sure this “standard” has ever taken off. I travel a lot and haven’t seen it anywhere. Perhaps because it’s flawed and hard to remember. The ColorAdd website says copyright 2010 so it’s been around a while… yet I have never seen it anywhere before.

The press release says this deck is in partnership with ColorAdd. It also says the decks are “backordered.” Perhaps they are not producing them until they see what the real demand is.

We can’t blame UNO for how this Color Language is designed but we can wag a finger at them for choosing it (or choosing to partner with ColorAdd).

Now look at the size and placement of these hieroglyphics.

This part is also UNO’s fault. Sorry, UNO.

Did you spot it? The little triangle next to the small number on the card? The soft, rounded triangle. UNO cards aren’t that big so this is probably a pretty small icon.

And did you notice that this icon appears right side up at the top and upside down at the bottom (like the number)? That’s especially tough in a symbol language where shapes are mirror images. Red and blue are mirror images. So at a quick glance, what colour is this? Will someone who is also dyslexic also struggle with these symbols?

How else can UNO solve this?

A co-worker sent me this after I opened up a discussion on this deck.

On the left, the most common form of colour blindness. On the right, non colour blind vision. So yes, UNO has a colour blindness problem but how is this best solved?

Two suggestions.

Create their own symbol language. Use a silhouette shape of an animal to represent colours. I’d run tests with kids to see what colours they associate with which animals (and also test colour blind kids). But for fun how about Red Rhino, Yellow Bird, Green Frog, and Blue Butterfly.

Change how they do their character cards. UNO sells many different decks. Here is a pic I found on Google Images of the Disney Princesses deck.

They also have Toy Story, Cars, Hello Kitty, and many others. But take a look at this image. This deck can’t be used by the colour blind because all the green cards don’t have the same princesses on them. They’re not even characters from the same era. I can’t group them in any way. So they need to improve upon that.

Snow White can be yellow, Tiana can be green, Cinderella is blue, and Jasmine can be red. All the green cards would get Tiana, not just some of them. If you’re establishing a code or language, you need that consistency.

At least UNO tried.

You have to give UNO points for trying to come out with something for colour blind people, even after 40ish years. However, they probably have missed the mark by using a probably-unfamiliar, potentially-confusing symbolic language and then printing it small and in various orientations (when orientation matters).

To UNO I say “go fish.”

And ColorAdd

UNO really only needs 4 colours from what I remember. They are obviously plugging ColorAdd by including two cards explaining the colours and how you combine them to make colours.

ColorAdd goes beyond that to try to describe colours further. Here is their “code.” My ongoing thoughts include:

  • I still can’t imagine this works at any sort of decent distance (the way it’s intended) including for traffic lights and walk/do not walk signs.
  • Is it important to know shades of a colour you can’t see? Would that change safety or an experience to know something is dark red vs red?
  • If nearly all colour blindness has to do with red and green, why not work on super clear symbols that cover red and green? Why try to create symbols for a huge palette including gold and silver?

Share This Page
Read More

I Haven’t Blogged In A While

Posted By on Sep 5, 2017

I haven’t blogged in months. I got an email from a random guy offering to write posts for me because I had stopped. Evidently taking a break from blogging means you need help.

Thanks, random guy, but I had other more pressing things going on this year. It’s just starting to normalise… and BOY do I have a lot to tell all y’all!

Welcome back, me, and you, dear reader. 🙂

Share This Page
Read More

I Love Samsung Pay

Posted By on Sep 5, 2017

I admit it. I love Samsung Pay. Many of you already know I’m an Android fangirl. But I haven’t tried Android Pay because I refuse to unlock my phone 500 times a day with a PIN, password, thumbprint, or finger sliding adventure. That slows me down too much.

Samsung Pay is mostly like any other NFC-based payment system with one huge exception. Samsung bought a company that figured out how to make a phone “tell” a standard credit card swiping reader that is had read a card. I can hold my phone near the swipe area of a terminal that doesn’t take NFC payments and still have that terminal “think” it ran a card.

I’ve been mansplained over it when some guy thought he would SAVE me from making a fool of myself by trying to pay for a food truck that way. I’ve had shop workers say, “Wow, I didn’t think we took Apple Pay.” “You don’t. This is Samsung Pay.”

Even if you’re an Apple fan, find someone who loves his or her Samsung phone and check it out. Anywhere the swiping is exposed (ie: NOT a gas station), watch it in action.

It has some other nice features like I can hold my phone when the screen is off, swipe the screen in a certain direction, and I go right into Samsung Pay, ready to pay with one of my cards. I still need to fingerprint or PIN to pay, but I’m right there.

Downside: it’s not available in every country. And not available with any card. Samsung is slowly making deals with different cards and banks for inclusion. I can put my American Express in and my Wells Fargo personal ATM debit Visa but not my Barclay American Airlines Mastercard.

Share This Page
Read More

People who want to learn Axure often message us and ask what is the fastest and easiest way to book our live, remote training by the hour? This training is done webinar-style (screen sharing and dial-in) but is completely private. It’s one-on-one if there’s one of you… or we can train your team.

Use our online appointment scheduling system

Our online calendar is a super-smart system that knows when our free time is and what types of appointments you can drop into that time.

You can also buy a block of time by clicking on View Products/Packages at the top left of the calendar page. That will let you pre-pay for a certain number of hours. Pay once, then just use your package code to schedule each time.

If you just want to book a single block of time for any reason, just choose it. The system will charge you accordingly during checkout.

Step 1: Choose the type of appointment you want

Listed right there on the page are different types of appointments, their duration, and the cost.

Book phone consultation time (free), individual Axure training (for one person), or team Axure training. The list is longer than the above screen shot.

As soon as you make that choice, our system checks for dates and times when we can handle that appointment. Be sure to adjust things for your time zone so that there are no appointment surprises later!

Step 2: Book lots of times at once

Want one appointment? Choose “continue” after selecting your time.

Want to book lots of appointment times? Choose “recurring.” You’ll then get to pick a recurring time (like every Monday at 6:30pm) or you can pick any other time to add to your basket.

Step 3: Pay for your time

Did you previously buy a package? Redeem the time you pre-paid by entering the code you were given when you bought the package.

Or pay as you go. We take credit cards.

It’s easy!

It’s probably easier than we made it look here but why not walk through it so you know your options. 🙂

Our system will remind you 2 hours before the appointment. Both your confirmation and reminder emails will have links to change your appointment if you need to pick another time.

With our appointment system, you can handle the booking without us going back and forth with “when are you free” “oh I can’t make it then” “how about this time” “well how about this time.” Pick any time you see open.

Thanks and train ya soon!

Share This Page
Read More

2016’s Weirdest Email

Posted By on Jan 3, 2017

I haven’t had time to blog as much as I’d hoped. So here’s one for now. The weirdest email I received in 2016.

Please enjoy.

Let me sum this one up for you.

Elizabeth (full name and email address obviously not mentioned here) emails me to say that I (Debbie Levitt) am an instructor at General Assembly.

Elizabeth found one of my blog posts where I mentioned that I was NOT an instructor at General Assembly but that I recommended them and heard good things. My point in that post was to recommend them without people thinking I’m biased in any way.

Elizabeth then says that, “Full disclosure and trust is very important to” her. Yes, me too! That’s why I’ve always said I have never worked for General Assembly.

Elizabeth writes, “Was disappointed to find out that your company would rather manipulate potential customers, rather than be honest. I will no longer be frequenting the site.”

I’m not an instructor at General Assembly. Never was.

Interviewed for it twice but they had previous instructors return and said they didn’t need me… but they keep looking at my LinkedIn profile. 🙂

GA is not on my LinkedIn as past or present work experience. They’ve never hired me to do anything.

I’m recommending GA based on hearing good things about them but wanted to know people I wasn’t recommending them because I work there (and recommending them lines my pockets). Elizabeth would like that!

According to Elizabeth, I am manipulating potential customers (Ptype’s or GA’s? not sure) because in my blog I am (I guess) not telling you the truth when I say I wasn’t a GA instructor.

So let me say this again.

I have never taught at General Assembly.

I have spoken at non-GA events held at GA. I have spoken at meetings that used GA space. I have mentored at startup competitions that used GA as meeting space.

I have never been a GA instructor. Even if Elizabeth is sure she was aware that I was.

I just Googled this.

I just Googled this and found something very strange. GA lists me as an instructor… of an Axure class I was going to hold in Los Angeles but cancelled. It never happened but the old page is still up.

I was going to be your “Axure instructor” at a workshop I scheduled at GA but had to cancel.


I’m still not a GA instructor. I don’t teach anything there and never have. I’ve emailed GA to see if they can take that weird reference down. No reason to list me as an instructor for an Axure workshop that was scheduled years ago but never happened. They took the page down without question.

And how sad that someone believed that over me saying I’ve never taught there! Still true: I’m not and never have been a GA instructor. I would have been your Axure workshop instructor had the class happened! But it didn’t.


Strange to watch someone not believe me for telling the truth, but that feels kinda 2016. 🙁

So enjoy the weirdest email I received in 2016. Bests to you too, Elizabeth.

Sorry me telling the truth made you lose trust for me. But hey, it’s the truth. I’ve never worked for GA and if I recommend them, it’s unbiased because I’m not now and have never been an instructor there.

Share This Page
Read More

It has been nearly a year since my blog post about my awful experience in Kent State’s “MS of UX Design” program. I wanted to update you on what’s happened since then, in no particular order.

People have come out of the woodwork to thank me. Many people told me they had similar experiences, which is sad but validating, not that I needed validation.

One guy tried to belittle and minimize me while telling me he was empathetic and also wasn’t so sure about the program. OK, weirdo.

I get emails like this.

Just saw your post on Kent State – I had a similar horrible experience. I wish I had seen this post before taking the introductory courses – what a waste of my and my employer’s money!

I just started that program myself, and am definitely experiencing some of the things you had mentioned. I was curious on your advice for someone looking to completely switch careers into UX. I’m currently in the [non-UX] field and was excited about this program, but definitely am feeling like the fundamentals are lacking thus far and feel a little lost with some of the assignments because of it. I want to make sure that at the end of the program I am prepared for and capable of obtaining a job in UX.

Heartbreaking. People expect a certain level of quality not only from a known, accredited university but also from a Masters degree.

I was told that there were some staffing changes there and they are changing the program, but based on the full set of updates I received, I would continue to have no faith in this program or department at all. That’s my opinion. Yours may vary.

How can I tell if a degree will get me what I want?

Many of the people writing to me are transitioning into UX. They want to learn all the fundamentals, core concepts, approaches, and certainly everything they’d need to get that entry level job. They want to graduate with a strong and impressive portfolio.

1. How many classes are spent on actual design that will end up in your portfolio? Last I checked, the Kent State Masters degree was going to spend a few weeks on design out of a 2-year degree. That is NOT ENOUGH to learn about design or build a strong portfolio.

Remember that (good) UX job interviews will ask you to explain the thinking, approach, and methods behind portfolio pieces. You don’t just show them. You explain if not defend them. I have even been in interviews where someone looked at an old portfolio piece and asked if I would do that project differently now and what I would do differently.

2. What core fundamentals are you being taught? Will you be taught User-Centered Design (UCD)? Gestalt Theories of Perception? Read job listings in UX. See what they are asking for. Does your program cover those well and deep enough that you can tell a potential employer you get it and do it?

3. Ask for detailed information about courses, especially intro courses. When I took the Kent State classes, the intro class was week 1, what are some jobs in UX. Week 2, let’s write up a proposal and plan to do research on a fake project. Wait, what? That’s not even step one of UCD. If it looks like an intro class is dumping you right into pseudo real life deliverables without fundamentals, concepts, and approaches, get out of there.

4. Who are the faculty and who designed the courses? At Kent, nearly everybody there was/is a UX researcher. So a bunch of researchers created a Masters in UX Design that has nearly no design and, guess what, LOTS of classes on research.

Also check if faculty are full time or not. At Kent State, I had trouble getting the attention of people in the department because they were also UX research consultants/practitioners and were sometimes unavailable to do that work. Sure, I want teachers who do (and don’t just teach), but I’d want them to be available and have teaching as a priority.

5. Mentoring and networking. I found that Kent State not only offered me no mentoring but when I offered to mentor my classmates, I was told that was inappropriate. I was told the department would consider administrative action against me if I tried to mentor my classmates. Beware of petty power struggles passed off as administrative rules. Look for schools with strong alum networks, good personal attention, and if you’re new to UX, a school that sets you up for mentoring right away.

Don’t be fooled by claims like, “Lots of our grads got good jobs after taking our degree,” or anything like that. Anybody can say that. That doesn’t tell us enough. Were those people already in UX? How much help did the school give in finding or securing that job?

Off the top of my head, those are just a few things I would suggest you dig deeply into.

Who do I recommend?

I continue to recommend General Assembly. It’s a sort of trade school in various cities plus some online programs. Their UX certificate takes just a few months. It’s not cheap. But I have seen many people get entry level jobs after taking that.

You end up with portfolio pieces and good foundational understanding of certain aspects of UX. While I like the idea of teaching at General Assembly, I don’t work there and gain nothing from suggesting them.

You do not need a 4 yr or grad degree unless you are looking to be a researcher. Most research managers I know like to see candidates have a Masters related to UX research or even an MBA. But if you are looking at other areas of UX including IA and interaction design, you may not need a university degree for that.

When I am interviewing candidates, I am looking more at their natural talent, approach, thinking, decisions, shifts, and ideas more than where they went to school.

Good luck to all of you no matter what path you choose or which certificate or degree you attempt to get!

Share This Page
Read More