Some users are confused about which password/PIN to enter in the OS re-auth dialog from about:logins
Categories
(Firefox :: about:logins, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox75 | --- | unaffected |
| firefox78 | --- | verified |
People
(Reporter: MattN, Assigned: jaws)
References
()
Details
Attachments
(1 file)
Some users think it's asking for a Firefox Account (FxA) password and others don't know what PIN Windows is asking for. There aren't that many SUMO complaints yet so it's hard to know how widespread this is from that data alone. It's also possible this issue is more of a problem on Windows since the string is different/better on macOS.
Some SUMO questions: https://support.mozilla.org/en-US/questions/firefox?owner=all&tagged=passwords-os-auth&show=all
We are also seeing over 25% of user who have been prompted who haven't succeeded to authenticate yet.
Current strings for Windows: https://searchfox.org/mozilla-central/rev/dc4560dcaafd79375b9411fdbbaaebb0a59a93ac/browser/locales/en-US/browser/aboutLogins.ftl#111-112,117-118,123-124
# This message can be seen by attempting to edit a login in about:logins
about-logins-edit-login-os-auth-dialog-message = Verify your identity to edit the saved login.
…
# This message can be seen by attempting to reveal a password in about:logins
about-logins-reveal-password-os-auth-dialog-message = Verify your identity to reveal the saved password.
…
# This message can be seen by attempting to copy a password in about:logins
about-logins-copy-password-os-auth-dialog-message = Verify your identity to copy the saved password.
The new strings ideally shouldn't specify that a "password" is required since the default mode of the dialog may be for one of the other Windows Hello authentication methods such as the fingerprint reader, PIN, facial recognition, etc.
Perhaps this is worth uplifting a hard-coded new unlocalized en-US string though I don't know what our locale breakdown is.
|
||
Comment 1•4 years ago
•
|
||
(In reply to Matthew N. [:MattN] (PM me if request are blocking you) from comment #0)
Perhaps this is worth uplifting a hard-coded new unlocalized en-US string though I don't know what our locale breakdown is.
I don't see how an explanation in a language you don't understand would make things better, if users fail to understand a localized message (albeit how potentially unclear that might be).
|
Reporter | |
Comment 2•4 years ago
|
||
(In reply to Francesco Lodolo [:flod] from comment #1)
(In reply to Matthew N. [:MattN] (PM me if request are blocking you) from comment #0)
Perhaps this is worth uplifting a hard-coded new unlocalized en-US string though I don't know what our locale breakdown is.
I don't see how an explanation in a language you don't understand would make things better, if users fail to understand a localized message (albeit how potentially unclear that might be).
I meant to only improve the string for en-US users since we don't need localizers for that.
|
||
Comment 4•4 years ago
|
||
A few questions:
- Please confirm date when we are trying to land this. Is it soft code freeze May 28?
- Are we just changing Windows string at this point? Not MacOS?
- Are these the only 3 contexts in which string will show: User is trying to edit, copy, or show a password?
- Do we need a single string to accommodate all of these contexts or can we have variations?
- What happens once user enters their login? On Chrome, there is an option to select "Okay" but we don't seem to have a confirmation button.
- Is asking the user to enter their credentials a requirement from Firefox or from Windows?
|
Assignee | |
Comment 5•4 years ago
•
|
||
(In reply to Meridel from comment #4)
A few questions:
- Please confirm date when we are trying to land this. Is it soft code freeze May 28?
We would like this string ASAP so we can potentially uplift to beta, though we wouldn't get localization on beta. It would only replace the en-US string.
- Are we just changing Windows string at this point? Not MacOS?
macOS doesn't allow us to change the string. On macOS we can only provide the "reason" and the operating system inserts this into their string. Therefore, this request is for Windows only.
- Are these the only 3 contexts in which string will show: User is trying to edit, copy, or show a password?
Yes
- Do we need a single string to accommodate all of these contexts or can we have variations?
We can have variations.
- What happens once user enters their login? On Chrome, there is an option to select "Okay" but we don't seem to have a confirmation button.
I'm not sure what you're seeing on Chrome where there is an "Okay" option. This is effectively the same dialog that Chrome users see, albeit with a different description. When a user enters their password, they must hit "OK" to proceed. If they are prompted for their PIN, the prompt will close once they type in the correct PIN and they will not need to hit "OK".
- Is asking the user to enter their credentials a requirement from Firefox or from Windows?
This is a requirement from Firefox, using functionality built in to Windows.
|
|
||
Comment 6•4 years ago
|
||
How about this? It will cover all contexts and all Windows log-in types. We should also run this by legal once we are happy with it:
For your security, enter your Windows sign-in to manage your Firefox passwords.
|
|
||
Comment 7•4 years ago
|
||
(In reply to Meridel from comment #6)
For your security, enter your Windows sign-in to manage your Firefox passwords.
As a translator, I confess I wouldn't know what "sign-in" stands for. Is that a common reference in English for Windows?
|
|
||
Comment 8•4 years ago
|
||
Yes, I am struggling to find a good catch-all term for all of the Windows options (pin, password, facial recognition, etc.). How about:
For your security, enter your Windows login to manage your Firefox passwords.
|
|
||
Comment 9•4 years ago
|
||
Is "credentials" or "login credentials" too formal in the context?
For your security, enter your Windows (login ) credentials to manage your Firefox passwords.
|
|
||
Comment 10•4 years ago
|
||
Thanks, Flod. I thought so initially but I think it does make this clearer. I don't think we need the parentheses.
For your security, enter your Windows login credentials to manage your Firefox passwords.
|
|
Assignee | |
Comment 11•4 years ago
•
|
||
Do we need to be perfect here? Chrome uses "Google Chrome is trying to show passwords. Type your Windows password to allow this." even when showing the PIN prompt.
I wish we had statistics on the prevalence of PINs but they are not a default setup and we know most users never change their default. Can we trust that users who know how to set a PIN will understand that a PIN will work even when the text asks for a password? Will this more basic text help the users who don't know about PINs more than the "correct" text?
|
|
||
Comment 12•4 years ago
•
|
||
Hey Jared, the goal of the recommendation, and the discussion with Flod, is not to be perfect, but to find the best way to communicate clearly what the user needs to do. In response to users confused by the PIN request, I'm suggesting we use a broader term than "password" here—i.e., login credentials. I am recommending we include the 'why' here (this is for your security) so users (who are showing they are annoyed by this prompt) get an idea of why this check is required. Here is my final recommendation:
To manage your Firefox passwords, enter your Windows login credentials. This helps protect the security of your accounts.
Michael, can you please review the above string? Thank you!
|
|
Assignee | |
Comment 13•4 years ago
|
||
Thanks! Note we would like to adjust the string for the various entry points. Are you OK with these tweaks or should we use the same string for all entry points?
- To view your Firefox password, enter your Windows login credentials. This helps protect the security of your accounts.
- To copy your Firefox password, enter your Windows login credentials. This helps protect the security of your accounts.
- To edit your Firefox password, enter your Windows login credentials. This helps protect the security of your accounts.
Note that making "password" singular introduces some confusion of "Firefox Account password vs website password". Would you prefer that we use your original string in all cases?
|
|
||
Comment 14•4 years ago
|
||
I was trying to make things easier for y'all with one string-fits-all, but if we can be more contextual with multiple strings that's great!
Since the user sees the message when they are in about:logins and right after attempting to access a password, we can remove the "Firefox" mention. Let's go with these:
To view your password, enter your Windows login credentials. This helps protect the security of your accounts.
To copy your password, enter your Windows login credentials. This helps protect the security of your accounts.
To edit your password, enter your Windows login credentials. This helps protect the security of your accounts.
|
|
||
Comment 15•4 years ago
|
||
Michael, strings updated since I NI-ed you. Can you please review?
To view your password, enter your Windows login credentials. This helps protect the security of your accounts.
To copy your password, enter your Windows login credentials. This helps protect the security of your accounts.
To edit your password, enter your Windows login credentials. This helps protect the security of your accounts.
|
|
Reporter | |
Comment 16•4 years ago
|
||
Note for whatever dev. implements this that the new string ID should be Windows-specific (like the mac one)
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 18•4 years ago
|
||
(In reply to Meridel from comment #15)
To edit your password, enter your Windows login credentials. This helps protect the security of your accounts.
Note, I would like to change this one to:
To edit your login, enter your Windows login credentials. This helps protect the security of your accounts.
Since this is shown when the user wants to make an edit to their login, not just their password.
|
|
Assignee | |
Comment 19•4 years ago
|
||
|
|
||
Comment 20•4 years ago
|
||
Good catch. That works, thanks. (Apologies—in a work week so I'm moving fast and missed this).
|
||
Comment 21•4 years ago
|
||
Pushed by jwein@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ded8b9faf516 Update the strings for the OS auth prompt to make it clearer that the requested password is the OS password. r=MattN,fluent-reviewers,flod
|
||
Comment 22•4 years ago
|
||
| bugherder | ||
| Comment hidden (off-topic) |
|
|
Reporter | |
Comment 24•4 years ago
|
||
(In reply to dickvl from comment #23)
How about Credit Cards ?
Credit Card autofill is disabled by default for everyone. Bug 1624646 is on file to fix the macOS string.
|
||
Comment 25•4 years ago
|
||
There was recently a question about this on SUMO where a user had enabled autofill
Windows Security "Firefox is trying to use stored credit card information. Confirm access to this windows account below." Why am I getting this recently? | Firefox Support Forum | Mozilla Support
https://support.mozilla.org/en-US/questions/1286399
|
||
Comment 26•4 years ago
|
||
I have verified this issue and the strings are correctly displayed and updated when trying to show, copy, and edit a password. I have verified this issue using the latest Nightly 78.0a1 (Build ID: 20200510212656) on Windows 10 x64, Windows 8.1 x32 and Windows 7 x64.
However, we still have a scenario where the string is not updated. Since we updated for these 3 scenarios (show/copy/edit password) we should also update the string when a Master Password is created from "about:preferences#privacy" page. I have logged this in Bug 1636909.
Considering this I will mark this issue as verified and will track the string from the Master Password in Bug 1636909.
|
||
Comment 27•4 years ago
|
||
Comment on attachment 9146877 [details]
Bug 1636032 - Update the strings for the OS auth prompt to make it clearer that the requested password is the OS password.
Revision D74455 was moved to bug 1638908. Setting attachment 9146877 [details] to obsolete.
|
|
||
Updated•4 years ago
|
|
||
Comment 28•3 years ago
|
||
re : "enter your Windows login credentials."
Please remember whilst you and I may understand what is required there are many out there who do not understand the request due to the lingo used. There needs to be a 'Help' option to explain what is being asked for. I asked a relative what they understood by ' enter your Windows login credentials.' and they had no idea. But if I said to them 'the password you type when you start up the computer,' they understand. Others understand what a 'Computer User Account password' means and others have no User Account nor understand this because never created one as many 'Windows' computer now try to force a 'Microsoft Account' upon new users, so hence they are asked to logon to Microsoft Account when they start up computer.
So, I would ask you to consider a 'Help' tooltip or pop up which offers information in a language and terminology that is not perceived as techo speak or geeky. It needs some simple plain explanation.
Description
•