Aaron Parecki

Fails in what way?

@jpgoldberg wanna speak to this? 😈

Identify users.

for me: letting people login. after working with/for okta and having to use okta ... it seems like every time i had to login there were problems.

Okta employee here. Genuinely curious, as there are lots of possible answers to this question: What is Okta's one job?

What lesson should we take from 15 years of admonishing users to "just use a password manager" but failing to get better than ~30-40% adoption, and patchy success even from "successful" adoption?

Put another way: User research is always painful, but I can only imagine how excruciating it would be to watch a 1password or Apple Keychain or Google passwords user research session.

I haven't done a detailed analysis, but I'd estimate that Google's "suggest a secure password" doesn't work on 10% of sites, and is effectively hidden on 30-40% (i.e., I have to look for it, which an average user wouldn't do).

I despise 1password - I've tried, it fails way too often. I've taken to using Google's cloud password system, which is OK, but fails reasonably often - often enough that *I* end up futzing around with password resets for longer than is reasonable. Average users have no hope.

mental model problems are real tho frsure

uhhhhhhhhh so did you just reveal you don't use password managers? because I've been using one for years now with a setup not unlike that and I find it quite reliable ;)

(sorry, this rant brought to you by "don't apologise to Okta they literally have ONE JOB and a market cap of $36B and choose to do their job by shaming users" 😂)

If we start with that *instead of* starting with passwords, there are a bunch of solutions and approaches that make byzantine quests like "remember this random inconsequential thing so that we can trust you enough to reset this other random thing" seem *actively hostile*

We have this fundamentally distorted view that authentication is "username and password", but what we're trying to achieve is to answer two questions: 1. Who are you? 2. Prove that you are who you say you are.

... not to mention unreliable or buggy auth systems (which are *extremely* common), or the struggle to form a mental model of how accounts work. So the real "question" is "I don't know my password (and it's not my fault), so please just let me in another way."

Password managers are deeply unreliable. Use Chrome on a Mac? LOL. Good luck. Use a service on both a phone and a desktop computer? Share an account with another person? Yeah, no chance.

100%. The big thing here is that we assume that people just forgot their password. But we also say they need to use unique, complicated, unmemorable passwords across literally hundreds of sites. So how the hell are they supposed to remember?

Instead of "Forgot your password?", maybe sites should start asking, "Are you taking your password with you to your grave?" or "Have your mystical unlocking runes been lost to the ages?"

"forbidden password question" has much more allure 🙃

"forgotten password question" is kind of an awkward phrase in and of itself

honestly, I wasn't being very fair to you folks with this one, hence this follow-up twitter.com/yoz/status/135…