Minimal Viable Authentication: usability versus security

Trigger warning: stalking.

For the following stories I am using the imaginary VIP Cinema again instead of the real app. This way I can freely write about my experiences without naming the actual app.

Usability is king

The VIP Cinema app offered his clients a discount for parking. This service appealed to me. So, I contacted the customer service and got a power of attorney number. On request I had to mention the number to get my promised discount of 50 percent on parking.

After a while I wanted to reserve my parking without calling the customer service. There was a simple solution: a parking app. I installed the app and had to register. The first thing I did, was to have my power of attorney number ready.

The next step was to enter my email address and a password. Then I had to verify it by clicking on a link in an email. A dialog asked for my membership number of the Cinema VIP App. Then I opened the app and found the number.

I received an email to verify my email address for the parking app. After clicking a link, I had to enter my VIP Cinema membership number. The next moment I could reserve a parking place for my car without entering my power of attorney number.

The registration was smoothless and it saved me an extra step of entering another number. I really liked this experience.

Security is pauper

”I want to show something to you.”, I told another computer software professional.
“Here is my mobile. The Cinema VIP app is open and shows my membership number.”
I got a nod.

“Now I am going to the website to register a new user id and password for the parking website.”
Another nod followed.

This looks familiar

Then I entered a new email address and password. After clicking the link in the mail to verify my email address I asked him for my membership number. While he was citing the number, I entered it in the requested text field in the dialog,

 “Let us see what kind of information we can get based on this single number.
You can see where I live. This information is needed for billing.“

Worth noting

“Let’s have a look at my parking history. This is the parking I used every other week. This is an interesting pattern. Last week I parked there. So next Friday I will probably park the car there at 7 pm.”

Let me guess

“There is a high chance, that I visit a cinema close to this parking. The discount is offered by the Cinema VIP app. Notice that no power of attorney number was asked. This would improve the security.”

All that being said

“Even worse: I did not get an email that another account was coupled to my parking account. I refreshed my inbox: no mail was found about the double registration.

Certain social media apps inform me directly, if my account is accessed from an unknown device. But this was not the case for this app.”

This time I did not get a nod, but an astonished face.

Signals of poverty

When I phoned the customer service of the parking service, no power of attorney number was requested.

During this phone call there was a check of my birthday, my zip code, and my house number. These can be obtained using social engineering or extracting private information without getting attention.

This I Learned

Authentication is about making sure that the right person gets access. Some shortcuts can have severe drawbacks.

How to reduce the scope of testing during testing

It is common to reduce the scope of testing before the test. In my test charters I use things like feature to be tested or planned time. For me this is a way to prioritise my tests. Here are some stories about scoping testing in full testing mode.

Reported as usual

This story happened in real life. In order to share it with you, the reader, I used the VIP cinema appointed of the real app. The new feature of the app was that the clients could make tailor made purchases. Some custohhhmers like free parking or discounts for snacks. So, customers could make a package with the discount set to 50 percent.

Not in my backyard

One day I had to test a feature for a package. My steps were to make a package, add components, and use the package. I focused on the normal situation avoiding making typing errors and entering invalid values.

The start was quite promising: I made a new package and gave it a name. Then I added a decent number of components to the fresh package. When it was time to use the package, I noticed something strange. It was not usable. The package did not give the promised benefits to the user.

It took me a few seconds to realise that I found a bug. Now it was time to make a bug report. It should contain all steps that led to this strange situation. In my notes I found all the information I needed.

Not in my front yard

I made a new package, but after adding some components, something went wrong again. I carefully looked at the new situation and noticed a new bug. Now I needed to repeat all steps again for a new bug report.

So, the whole series of steps had to be repeated for a decent bug report. After a few times I could show the bug every time, so I added all the steps to the bug report.

Not in any of my yards

I tried to do the next few steps. Again, I noticed something wrong, so I had to make another bug report. Once again, the whole stuff repeated, I had to repeat all the steps until I could reproduce the bug and then write another bug report.

And this pattern repeated until I got to the 15 steps for initial bug. It was very difficult, because every 3 steps I got an error for which I had to make another bug report showing in the steps I took. I only wanted to make a package with some components.

It has my attention

A few weeks later a programmer told me: “You made those many bug reports?” I remembered the bug reports and was proud about my findings. Then he continued: “All the bug reports had the same issue.”
My spirit dropped after his remark.

I had reported a lot, but actually one single bug report was more than enough. Were the bug reports a useful way to report the bug to the  programmer? Sure, but it costed a lot of time. I spent at least one morning to write bug reports.

What I remember is that it took so long to get some feedback on my bug reports. If I just could get feedback after the first one, it would just save me so much time.

Interrupted as usual

During one test session in another company, I saw something strange. I tried to make eye contact with the programmer. But he was fully engaged in his programming, so I called his name and he looked up.

“I saw something strange. Would you have a look?”, I said. He came to my desk and looked how I reproduced all the steps.

Sometimes he asked questions to clarify the situation: “What did you do?” or “Why did you do this?”. Then he went silent, stood up, and went back to his laptop without saying a word.

Wait a minute

I just waited.

After a long silence I got my answer: “It is a bug.” Now I knew that everything in this place I had to avoid during testing. I needed to reduce my scope of testing that very moment. Everything using this specific function could have a strange side effect because of the found bug.

This way of reporting a bug was on the request of the programmer. He knew that I could find things he had not expected.

He also knew that if I would continue testing, that it was very hard for him to reconstruct what went wrong.

Accessibility Poker – This is my view

Accessibility Poker – This is my view.

This is a friendly reminder, that all stories with George are fiction.

The story so far

By assigning Accessibility Points to tickets with obstacles for blind people, it is easier to prioritise work. A user story cannot contain more than 1 action with more than 5 Accessibility Points. This way users can use the web site in an accessible way. Also, the sum of Accessibility Points for a single task should be limited.

Some problem

“Hi George.”
“Hi Polly.
How are things going?”
“During the A/B testing something noticeable happened: sales dropped enormously.”
“What happened, Polly?“
“They changed something to improve accessibility, George.

There was a new page and they thought that they did something pretty smart. Before, it had only a picture and some texts and they replaced it by a movie with a sound track and captions.

If someone was blind, then she or he could hear the movie. Deaf people could read the captions in the movie. We thought that we did a decent job but the A/B testing proved otherwise. We cannot find a solution. George. How do I solve this problem?”

“Polly, your team thought that people were either blind or deaf. If someone is both blind and deaf, what would be the use of sound and captions of the movie?“
“They cannot hear the movie and they cannot see the movie, so they don’t get any information. George. That is really insightful.”

Some thing

“There is something different.
In May sales also dropped. We did the promotion for haptic gloves. Something went wrong though. The sales went up, after the promotion article on the homepage disappeared.“

“Could you tell me more about this article, Polly?“
“Of course, George. It was for a new haptic glove for the fashion industry. It also included a movie.”
“Can you still play this movie, Polly?”
“Sure, that is easy.”
“Let’s do a simple experiment: you play the movie without showing it to me. At the same time, you tell what is being shown for 10 seconds.”

“George, I found the movie. Let me start:
A user with haptic glove … fabric … screen … appreciation …. Order… happy.
That were 10 tough seconds. It was too hard to tell what happened on the screen. ”

“What would usera with a visual impairment experience?”
“I think that they have a lot of problems to recognise the pictures, George.”
“Indeed, for me this story would be really difficult to follow.”

“You said: “me”.”
“I mean a user with a visual impairment.”
“George, you have a visual impairment. That’s why you got a headache, when I was quickly browsing a website a few calls ago.”
“You are smart, Polly.”
“Your secret is safe with me, George.”
“Thank you, Polly.”

Some personas

“George, something with the Accessibility Points will go wrong.”
“What do you mean?”
“At the moment we have personas for a blind person and a deaf person. Now we need personas for a blind and deaf person and a person with a visual impairment.”
“You know, that there are different visual impairments, Polly?”
“then we need to use more personas. This is my view.

I do not like to add multiple numbers of Accessibility Points to a ticket. It is too much administration.”
“What is the minimal number of Accessibility Points you need?”
“At least 1.”
“If there are 7 numbers of Accessibility Points for different personas. Which one would you take?”
“I would take the highest. This sounds lean to me.”

Some offer

 “It’s almost 9 o’clock. This was our last call. So, it’s time to say goodbye.”
“There is no other meeting lined up for me, Polly.”
“In that case I have a special offer for you George. You can work for our company full time get all usual benefits like health insurance stock options. A lot of colleagues are thrilled to work with you.”

“Polly, half hour a day is more than enough work for me.”
“George, this is hard to sell to management though.“
“I’m sorry, Polly.”

“Thank you for all the support. My team and I really appreciated it. Take care. Goodbye, George.
“Good luck. Goodbye, Polly.”

Some disappointment

“Good morning, Polly.”
“Good morning, John.”
“Did George take our offer?”
“I’m afraid not.”
“Did we not show that we have the right mentality and use technology in the right way?”
“It was something different.”

The end.

Sharing knowledge about testing and other things on my mind