- From: Jo Rabin <jrabin@mtld.mobi>
- Date: Mon, 9 Feb 2009 06:42:27 -0000
- To: <casays@yahoo.com>, <public-bpwg@w3.org>
This is like some many other statements, which have to contain caveats because of the diversity of the targets. I like Eduardo's description of this as "casuistry" ... ... my observation is that it is somewhat harder to type numerics on my E71 than it is to type alphabetics. So, in summary, our guidelines should perhaps say: take the following into consideration: a) If the application has a desktop aspect, users may find it confusing to have different passwords for different aspects of the same service. But then again, most people don't find it confusing that they have to use different keys for different cars. b) Balance the convenience of remembering passwords with the possible security consequences of doing so. Take into account the presence or absence of password managers in the devices. c) Adjust the properties of login screens according to device properties. Default to hiding the password for devices with complex input capabilities, and showing for devices with simple capabilities. Provide the user with a choice to change the default selection. I'm not sure that counts as useful actionable advice. Jo > -----Original Message----- > From: public-bpwg-request@w3.org [mailto:public-bpwg-request@w3.org] On > Behalf Of Eduardo Casais > Sent: 04 February 2009 14:04 > To: public-bpwg@w3.org > Subject: Re: [ACTION-908] good practice for login forms > > > I have little to add to what the others, and especially Rotan, have stated > so far. > > >* We have a BP on "One Web" which encourages the > > use of the same account / personalization between > > desktop and mobile web applications --> it would be > > strange then to have different recommendations for > > mobile passwords as opposed to desktop passwords. > > Well, I have bank accounts (on the desktop Web) that require exclusively > numeric passwords and exclusively numeric additional one-time challenge- > response keys (via a handheld one-time password generators). Similar issue > in some corporate environments (SecurID cards and so on). So the approach > is not exotic. As for the one Web, if this is interpreted as coercing > mobile devices to be used in the same way as desktop ones, then > difficulties are to be expected. > > > * Virtual keyboards are getting more popular and so > > even on mid-range devices can we not expect the input > > limitations of numeric keypads to fade away pretty > > quickly. > > Obviously the recommendation (b) does not make sense for devices with full > keyboards (e.g. Nokia Communicators, Blackberries) -- although > recommendation (a) might still make sense, and (c) still applies. As for > the evolution of mid-range phones, etc, good practices should be generally > applicable and useful now, not in some indistinct future, the large number > of low-end phones with a simple keypad will not disappear, and I have > doubts as to the usability of these virtual keyboards (which is more > usable: entering a numeric pin-code directly, or launching a virtual > keyboard, typing in, then closing it and continuing with the form?) > > I had only been tasked to document what is considered good practice in the > mobile Web -- I did not realize this topic would generate so much > discussion. > > E.Casais > > > > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.0.233 / Virus Database: 270.10.16/1925 - Release Date: 01/30/09 > 07:37:00
Received on Monday, 9 February 2009 06:43:06 UTC