W3C home > Mailing lists > Public > public-bpwg@w3.org > February 2009

RE: [ACTION-908] good practice for login forms

From: Jo Rabin <jrabin@mtld.mobi>
Date: Mon, 9 Feb 2009 06:42:27 -0000
Message-ID: <C8FFD98530207F40BD8D2CAD608B50B401ABA008@mtldsvr01.DotMobi.local>
To: <casays@yahoo.com>, <public-bpwg@w3.org>

This is like some many other statements, which have to contain caveats
because of the diversity of the targets. I like Eduardo's description of
this as "casuistry" ...

... my observation is that it is somewhat harder to type numerics on my
E71 than it is to type alphabetics. 

So, in summary, our guidelines should perhaps say: take the following
into consideration:

a) If the application has a desktop aspect, users may find it confusing
to have different passwords for different aspects of the same service.
But then again, most people don't find it confusing that they have to
use different keys for different cars.

b) Balance the convenience of remembering passwords with the possible
security consequences of doing so. Take into account the presence or
absence of password managers in the devices.

c) Adjust the properties of login screens according to device
properties. Default to hiding the password for devices with complex
input capabilities, and showing for devices with simple capabilities.
Provide the user with a choice to change the default selection.

I'm not sure that counts as useful actionable advice.

Jo


> -----Original Message-----
> From: public-bpwg-request@w3.org [mailto:public-bpwg-request@w3.org]
On
> Behalf Of Eduardo Casais
> Sent: 04 February 2009 14:04
> To: public-bpwg@w3.org
> Subject: Re: [ACTION-908] good practice for login forms
> 
> 
> I have little to add to what the others, and especially Rotan, have
stated
> so far.
> 
> >* We have a BP on "One Web" which encourages the
> > use of the same account / personalization between
> > desktop and mobile web applications --> it would be
> > strange then to have different recommendations for
> > mobile passwords as opposed to desktop passwords.
> 
> Well, I have bank accounts (on the desktop Web) that require
exclusively
> numeric passwords and exclusively numeric additional one-time
challenge-
> response keys (via a handheld one-time password generators). Similar
issue
> in some corporate environments (SecurID cards and so on). So the
approach
> is not exotic. As for the one Web, if this is interpreted as coercing
> mobile devices to be used in the same way as desktop ones, then
> difficulties are to be expected.
> 
> > * Virtual keyboards are getting more popular and so
> > even on mid-range devices can we not expect the input
> > limitations of numeric keypads to fade away pretty
> > quickly.
> 
> Obviously the recommendation (b) does not make sense for devices with
full
> keyboards (e.g. Nokia Communicators, Blackberries) -- although
> recommendation (a) might still make sense, and (c) still applies. As
for
> the evolution of mid-range phones, etc, good practices should be
generally
> applicable and useful now, not in some indistinct future, the large
number
> of low-end phones with a simple keypad will not disappear, and I have
> doubts as to the usability of these virtual keyboards (which is more
> usable: entering a numeric pin-code directly, or launching a virtual
> keyboard, typing in, then closing it and continuing with the form?)
> 
> I had only been tasked to document what is considered good practice in
the
> mobile Web -- I did not realize this topic would generate so much
> discussion.
> 
> E.Casais
> 
> 
> 
> 
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.0.233 / Virus Database: 270.10.16/1925 - Release Date:
01/30/09
> 07:37:00
Received on Monday, 9 February 2009 06:43:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:43:00 UTC