Re: ACTION-406: Petname burden from Timothy Hahn on 2008-03-26 (public-wsc-wg@w3.org from March 2008)

From: Timothy Hahn <hahnt@us.ibm.com>
Date: Wed, 26 Mar 2008 12:06:07 -0400
To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <OFF6E09B83.3A343746-ON85257418.005813B7-85257418.00587394@us.ibm.com>
Ian, others,

This issue:

Issue #3: "Cognitive burden" as Rachna called it. How many things can 
people really remember, and how well will they hold up? E.g. I have 4 
pasmark sitesecure images, one for each of my banks. If the wrong one 
showed up for a particular bank (e.g. my BoA image showed up for 
Vanguard), I don't think I'd notice. If, for my account at my brokerage 
(which I rarerly log into) the wrong image showed, I don't think I'd 
notice at all. Specifically, I wonder if a "reasonable" petname shows up 
(e.g. for Bank of America, if the petname were simply "bank of america", 
if anyone would notice that's not _their_ petname... although it may well 
be ;-) )

I think this harkens back to the discussion Tyler and I had on this list 
last week.  It seems that we're now in the space of different people 
having different opinions of what we can reasonably expect users to 
remember (and, indeed, whether remembering specifics is even important).

Is there any way to bring more quantitative analysis to this discussion? 
Does anyone have a proposal for a test/evaluation/survey/study which would 
help us understand whether there is (or not) a cognitive burden and 
whether or not it matters?

Regards,
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From:
"Ian Fette" <ifette@google.com>
To:
"public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Date:
03/26/2008 01:48 AM
Subject:
ACTION-406: Petname burden



In ACTION-406, I said I would raise issues I had with burden of petnames:

Issue #1: Burden on UI. If a user wants to use petnames and have them 
displayed, great. I'm not sure where exactly that should be displayed, but 
if a vendor wants to add this feature and give it screen real-estate, then 
I don't want to stop them. However, I don't think it's appropriate for us 
to say SHOULD/MUST display petnames as a default configuration, as it's 
not clear that it's worth the UI tradeoffs. But what users and vendors 
choose is fine. I'm not sure I want to force UAs to implement petnames, 
but if they want to do it and the user wants to use it, great.

Issue #2: Burden on user during non-petname interactions. If I'm 
bookmarking a site, trying to use a form-filler, or doing anything else 
where petnames are not my intent - I think it's fine if petnames are 
offered as an option, but I don't think they should be required to be 
offered as an option (again, UI issues) and I definitely don't think they 
should change the flow (e.g. if 1-click bookmarking is the flow, ala FX3, 
I don't want to require introduction of a screen that would effectively 
change it to 2-click) unless the user has opted in to that changed flow.

Issue #3: "Cognitive burden" as Rachna called it. How many things can 
people really remember, and how well will they hold up? E.g. I have 4 
pasmark sitesecure images, one for each of my banks. If the wrong one 
showed up for a particular bank (e.g. my BoA image showed up for 
Vanguard), I don't think I'd notice. If, for my account at my brokerage 
(which I rarerly log into) the wrong image showed, I don't think I'd 
notice at all. Specifically, I wonder if a "reasonable" petname shows up 
(e.g. for Bank of America, if the petname were simply "bank of america", 
if anyone would notice that's not _their_ petname... although it may well 
be ;-) )

Issue #4: Burden on other features / common use cases. We're talking about 
disabling form filling for general use cases. Maybe that's separate from 
petnames in general and is more an issue with PII-bar, but the two seem 
closely linked in the current spec.

Basically, these issues sum up to "I don't have a problem with people 
using petnames, if people find them useful that's great. I personally have 
reservations about how they would hold up under attack in a long-term 
study, I'm not convinced of the value proposition, the cost-benefit 
analysis, etc, and so I don't want to force them upon users or vendors. 
But if people want to use them, I certainly don't want to stop them."
Received on Wednesday, 26 March 2008 16:07:00 UTC