2FA. Everybody says use it. Lots of sites will set it up so that if someone tries to log in or do “forgot password” you get a text or some other secondary way to confirm it’s really you.
Someone I know left her husband. He was not being so nice. He was somehow logging into her Facebook, she wasn’t sure how. And doing some uncool things while logged into Facebook as her. So I worked with her on telling Facebook to clear all other logins, take his phone number out, put her new one in (she had to change her number because of him), change her password, use 2FA to text her, etc…
We did the same with Google for her Gmail and Google login. Cleared previous logins, set up 2FA, change password. I was pretty confident we had gotten rid of him.
She texted me the next morning. He was back in everything and had changed the passwords to Facebook and her Google/Gmail so she couldn’t get in. 2FA hadn’t happened for either account. Neither texted her to say someone was trying to log in or change the passwords. Both Facebook and Google let him change her passwords.
How did this happen?
She realised that he had her previous phone, which had been logged in to these apps and systems. You might say OK, that’s obvious. The phone was logged in. He goes into the phone, he gets into her apps and email. But that phone isn’t activated anymore so it wouldn’t use her phone number, especially the phone number she changed days ago because of leaving him. That phone is 2+ years old.
BUT we set up 2FA. 2FA is specifically designed for situations like these. You’ve gone in, changed your password, and cleared logins… should someone with your (old, deactivated) phone be able to get into everything without doing the 2FA?
I spent the next day depressed laying in bad, angry at 2FA and some pretty shitty UX. Sorry to swear but I was mad. How many frightened people is 2FA not helping? How many of those people continue to be hacked, harassed, hurt because these systems aren’t working?
I can’t say hey Facebook stinks, look at what happened, because it happened with her Gmail/Google also. It makes me think something about the way companies are implementing 2FA is heavily flawed. If I change my password, log out of all accounts, etc… 2FA should protect me. And it freaking doesn’t, does it.
What if someone had my current phone?
Here’s a use case for you. You somehow have my current phone and you somehow know how to unlock it. I have no unlock code or it’s obvious or you know me and you guessed it or your my ex and you saw me type it in 4000 times. You have my phone. Let’s say someone who shouldn’t have my phone has it.
How does 2FA help when my CURRENT phone is in the wrong hands? If you text me a code, the jerk with my phone now has that text! He or she has the code! Email me a code, well my phone picks up email.
Desktop vs Mobile
Last week, Facebook decided someone might be trying to log into my account (because I rebooted my router and my IP address showed up as a different neighbourhood around here). It logs me out of desktop Facebook but interestingly I was still logged into the mobile app.
In fact, it wanted me to go into the mobile app to get a 2FA code for desktop. Well sure, my phone is still logged in to the app, here’s your code. And if that phone were in the wrong hands… there’s the code!
In reality, if you are going to log me out of desktop Facebook because you think I’m being hacked or compromised, then you log me out of mobile web Facebook and you log me out of mobile app Facebook. Period. Otherwise, you have not saved or helped me AND you may have made it really easy for the wrong person to breeze through the two-step authentication.
What is the only thing that would have worked in this case?
I think the only thing that would have worked would have been to remote wipe her old phone, the one the ex somehow got. In reality, he didn’t know her passwords. But since he had a phone that was logged into these apps, the apps gave him the power to change settings, undo 2FA, change the password, etc… If we had remote wiped the phone, he would have been locked out from harassing her by logging into stuff as her.
Moral of this story: 2FA isn’t what you think it is. And the best safeguard for when your phone is compromised is to enable remote wipe. Even an old phone that you think won’t get someone very far because you’ve changed passwords and set up security safeguards.
Google how to do that for your particular phone. Set that up. You might need it someday if the phone falls into the wrong hands.
I’ve had a lot of feedback the past couple of years of training. Mostly it’s that people want a more advanced class. And they want it from a teacher who really understands where students are starting and how to get them, step by step, to really learn the skills. Oh that’s me!
I proudly announce that Ptype now has an Advanced Axure Prototyping Workshop. As of writing this, it’s not yet available as a video course. That will hopefully be available by the end of 2017. For starters, you can attend our 2-day live, remote workshop. It’s webinar-style and taught by me. Join from anywhere. More info here.
As the curriculum says, topics will include:
- Listeners (automatically running processes)
- Math functions including formatting and rounding numbers
- Form validation and error messages
- Really getting into variables
- Repeaters. I don’t believe repeaters are a “beginner” topic so they are not part of our Core Skills workshop.
To make sure people get personal attention, each workshop is limited to 15 people. Want a spot, sign up now! Registration is open and the early bird pricing is in effect through 2 October 2017. Our reg system will also automatically calculate group discounts for teams of 2 or more registering together as well as a “bundle” discount if you register for all three workshops together.
See you there!
I go on road trips from time to time. There is a 100% chance that my PayPal debit Mastercard will be shut off, even if I call them first and say I’m road tripping. Evidently buying gas over and over triggers their fraud system.
When PayPal’s card fraud system is triggered, my card is shut off. I’m not emailed, I might be called tomorrow to please let them know if this is fraud or not. But nothing I can do in the moment other than stop the motorcycle road trip to call them, which is not worth my time.
So I pull out my Discover card, the other card I keep in the pocket of my moto jacket. I’ll run that until they suspect fraud. But when they do, I get a text asking if I am making these gas purchases. I text back YES and they reply that they will keep my card on.
Thank you. YOU get the gas business.
American Express has started doing something like that when it suspects my purchases. I get an email (which I may not look at while on a moto road trip) asking if tried to make a certain purchase or not. I then have to tap a “yes” or “no,” which loads up a webpage. That’s fun when I’m in a bad service area. My Amex is skimmed 2 or 3 times a year so they are getting more careful with my card. I’m getting mountains of notifications now.
I think the text messaging is a great way to go. Immediate, something I might look at even when not looking at email, text back a quick reply, you might even get the SMS where your data connection is weak or non existent.
Consider your users and multiple use cases. How do we quickly confirm if this is fraud or not, keep a card on when the customer would want it on, shut it off if it’s really stolen or skimmed, and let our customer keep going?
I learned a weird lesson recently. Learn from my mistake!
I have been travelling a lot more lately (hence a quiet blog in 2017) so I wanted to get a dual SIM phone. Drop my American SIM in, drop in a European SIM, everybody can call me on one phone. To be cheap, I chose a 2017 Samsung Galaxy J7 Pro because I’m an Android fangirl. A used, completely unlocked one on Amazon was about $320. Not bad.
The listing advertised “USA and Latin American LTE.” OK this should work. And completely unlocked.
Things went badly when the phone started prompting me to set up Samsung Pay. Yes, I will happily set that up! I love it! Every time I went to set it up, it said the network couldn’t be reached and to try again later.
After days of that, I contacted Samsung Support via Facebook chat. Why isn’t this working? Long story short, it’s not working because of the “origin” of the phone. My used phone was originally sold in some other country. What country? I have no idea. Doesn’t matter to me. I can set up Android in USA English and I’m good, right?
Not so fast. Samsung made the odd decision that this phone cannot activate Samsung Pay because of where it was first sold, wherever that was.
But I’m in the USA and using it here.
Which makes more sense? Telling people they can’t use Samsung Pay on that phone ever OR letting people use it when they are in countries that accept it and blocking it when they are in countries that do not accept it? You know what country I’m in by GPS, towers, and what network I’m on.
I assume that if this can be done with Samsung Pay, it can be done with other apps or software. That made me return the phone. In the future, I won’t buy a used phone unless I’m cool with whatever the country of origin is. Evidently this can matter!
A press release went out recently saying that the UNO card game is finally available in a colour blind friendly way. How did they address this? They used a language of symbols in place of colours. Let’s take a look.
This immediately strikes me as a tough user experience.
I can see the logic someone went for. Triangle is red. Slash is yellow. Triangle plus slash is orange. But it falls apart when you have to remember which way a triangle is facing to know which colour this is.
With these soft, rounded rectangles, can you tell which way it’s pointing at a distance? Make this small enough or far away enough and it probably looks like an amorphous blob.
Remember this is a game where someone gets to change the colour at some point. They might yell out RED. You will have to consult the legend OR remember which-direction-facing triangle that is.
Based on this legend, there are LOTS of colours you might need to know about. Triangles, slashes, squares grouped in various ways. I often warn that if you go just past critical mass with icons, you are now in hieroglyphics. You have a language people need to remember.
This isn’t totally UNO’s fault.
They are using ColorAdd’s Color Alphabet. Someone else designed this to solve the problem of visually communicating colours to the colour blind. I am not sure this “standard” has ever taken off. I travel a lot and haven’t seen it anywhere. Perhaps because it’s flawed and hard to remember. The ColorAdd website says copyright 2010 so it’s been around a while… yet I have never seen it anywhere before.
The press release says this deck is in partnership with ColorAdd. It also says the decks are “backordered.” Perhaps they are not producing them until they see what the real demand is.
We can’t blame UNO for how this Color Language is designed but we can wag a finger at them for choosing it (or choosing to partner with ColorAdd).
Now look at the size and placement of these hieroglyphics.
This part is also UNO’s fault. Sorry, UNO.
Did you spot it? The little triangle next to the small number on the card? The soft, rounded triangle. UNO cards aren’t that big so this is probably a pretty small icon.
And did you notice that this icon appears right side up at the top and upside down at the bottom (like the number)? That’s especially tough in a symbol language where shapes are mirror images. Red and blue are mirror images. So at a quick glance, what colour is this? Will someone who is also dyslexic also struggle with these symbols?
How else can UNO solve this?
A co-worker sent me this after I opened up a discussion on this deck.
On the left, the most common form of colour blindness. On the right, non colour blind vision. So yes, UNO has a colour blindness problem but how is this best solved?
Create their own symbol language. Use a silhouette shape of an animal to represent colours. I’d run tests with kids to see what colours they associate with which animals (and also test colour blind kids). But for fun how about Red Rhino, Yellow Bird, Green Frog, and Blue Butterfly.
Change how they do their character cards. UNO sells many different decks. Here is a pic I found on Google Images of the Disney Princesses deck.
They also have Toy Story, Cars, Hello Kitty, and many others. But take a look at this image. This deck can’t be used by the colour blind because all the green cards don’t have the same princesses on them. They’re not even characters from the same era. I can’t group them in any way. So they need to improve upon that.
Snow White can be yellow, Tiana can be green, Cinderella is blue, and Jasmine can be red. All the green cards would get Tiana, not just some of them. If you’re establishing a code or language, you need that consistency.
At least UNO tried.
You have to give UNO points for trying to come out with something for colour blind people, even after 40ish years. However, they probably have missed the mark by using a probably-unfamiliar, potentially-confusing symbolic language and then printing it small and in various orientations (when orientation matters).
To UNO I say “go fish.”
UNO really only needs 4 colours from what I remember. They are obviously plugging ColorAdd by including two cards explaining the colours and how you combine them to make colours.
ColorAdd goes beyond that to try to describe colours further. Here is their “code.” My ongoing thoughts include:
- I still can’t imagine this works at any sort of decent distance (the way it’s intended) including for traffic lights and walk/do not walk signs.
- Is it important to know shades of a colour you can’t see? Would that change safety or an experience to know something is dark red vs red?
- If nearly all colour blindness has to do with red and green, why not work on super clear symbols that cover red and green? Why try to create symbols for a huge palette including gold and silver?
I haven’t blogged in months. I got an email from a random guy offering to write posts for me because I had stopped. Evidently taking a break from blogging means you need help.
Thanks, random guy, but I had other more pressing things going on this year. It’s just starting to normalise… and BOY do I have a lot to tell all y’all!
Welcome back, me, and you, dear reader. 🙂
I admit it. I love Samsung Pay. Many of you already know I’m an Android fangirl. But I haven’t tried Android Pay because I refuse to unlock my phone 500 times a day with a PIN, password, thumbprint, or finger sliding adventure. That slows me down too much.
Samsung Pay is mostly like any other NFC-based payment system with one huge exception. Samsung bought a company that figured out how to make a phone “tell” a standard credit card swiping reader that is had read a card. I can hold my phone near the swipe area of a terminal that doesn’t take NFC payments and still have that terminal “think” it ran a card.
I’ve been mansplained over it when some guy thought he would SAVE me from making a fool of myself by trying to pay for a food truck that way. I’ve had shop workers say, “Wow, I didn’t think we took Apple Pay.” “You don’t. This is Samsung Pay.”
Even if you’re an Apple fan, find someone who loves his or her Samsung phone and check it out. Anywhere the swiping is exposed (ie: NOT a gas station), watch it in action.
It has some other nice features like I can hold my phone when the screen is off, swipe the screen in a certain direction, and I go right into Samsung Pay, ready to pay with one of my cards. I still need to fingerprint or PIN to pay, but I’m right there.
Downside: it’s not available in every country. And not available with any card. Samsung is slowly making deals with different cards and banks for inclusion. I can put my American Express in and my Wells Fargo personal ATM debit Visa but not my Barclay American Airlines Mastercard.
People who want to learn Axure often message us and ask what is the fastest and easiest way to book our live, remote training by the hour? This training is done webinar-style (screen sharing and dial-in) but is completely private. It’s one-on-one if there’s one of you… or we can train your team.
Use our online appointment scheduling system
Our online calendar is a super-smart system that knows when our free time is and what types of appointments you can drop into that time.
You can also buy a block of time by clicking on View Products/Packages at the top left of the calendar page. That will let you pre-pay for a certain number of hours. Pay once, then just use your package code to schedule each time.
If you just want to book a single block of time for any reason, just choose it. The system will charge you accordingly during checkout.
Step 1: Choose the type of appointment you want
Listed right there on the page are different types of appointments, their duration, and the cost.
Book phone consultation time (free), individual Axure training (for one person), or team Axure training. The list is longer than the above screen shot.
As soon as you make that choice, our system checks for dates and times when we can handle that appointment. Be sure to adjust things for your time zone so that there are no appointment surprises later!
Step 2: Book lots of times at once
Want one appointment? Choose “continue” after selecting your time.
Want to book lots of appointment times? Choose “recurring.” You’ll then get to pick a recurring time (like every Monday at 6:30pm) or you can pick any other time to add to your basket.
Step 3: Pay for your time
Did you previously buy a package? Redeem the time you pre-paid by entering the code you were given when you bought the package.
Or pay as you go. We take credit cards.
It’s probably easier than we made it look here but why not walk through it so you know your options. 🙂
Our system will remind you 2 hours before the appointment. Both your confirmation and reminder emails will have links to change your appointment if you need to pick another time.
With our appointment system, you can handle the booking without us going back and forth with “when are you free” “oh I can’t make it then” “how about this time” “well how about this time.” Pick any time you see open.
Thanks and train ya soon!