Closed Bug 1636032 Opened 7 months ago Closed 7 months ago

Some users are confused about which password/PIN to enter in the OS re-auth dialog from about:logins

Categories

(Firefox :: about:logins, defect, P1)

Desktop
All
defect

Tracking

()

VERIFIED FIXED
Firefox 78
Tracking Status
firefox75 --- unaffected
firefox78 --- verified

People

(Reporter: MattN, Assigned: jaws)

References

()

Details

Attachments

(1 file)

Some users think it's asking for a Firefox Account (FxA) password and others don't know what PIN Windows is asking for. There aren't that many SUMO complaints yet so it's hard to know how widespread this is from that data alone. It's also possible this issue is more of a problem on Windows since the string is different/better on macOS.

Some SUMO questions: https://support.mozilla.org/en-US/questions/firefox?owner=all&tagged=passwords-os-auth&show=all

We are also seeing over 25% of user who have been prompted who haven't succeeded to authenticate yet.

Current strings for Windows: https://searchfox.org/mozilla-central/rev/dc4560dcaafd79375b9411fdbbaaebb0a59a93ac/browser/locales/en-US/browser/aboutLogins.ftl#111-112,117-118,123-124

# This message can be seen by attempting to edit a login in about:logins
about-logins-edit-login-os-auth-dialog-message = Verify your identity to edit the saved login.
…
# This message can be seen by attempting to reveal a password in about:logins
about-logins-reveal-password-os-auth-dialog-message = Verify your identity to reveal the saved password.
…
# This message can be seen by attempting to copy a password in about:logins
about-logins-copy-password-os-auth-dialog-message = Verify your identity to copy the saved password.

The new strings ideally shouldn't specify that a "password" is required since the default mode of the dialog may be for one of the other Windows Hello authentication methods such as the fingerprint reader, PIN, facial recognition, etc.

Perhaps this is worth uplifting a hard-coded new unlocalized en-US string though I don't know what our locale breakdown is.

(In reply to Matthew N. [:MattN] (PM me if request are blocking you) from comment #0)

Perhaps this is worth uplifting a hard-coded new unlocalized en-US string though I don't know what our locale breakdown is.

I don't see how an explanation in a language you don't understand would make things better, if users fail to understand a localized message (albeit how potentially unclear that might be).

(In reply to Francesco Lodolo [:flod] from comment #1)

(In reply to Matthew N. [:MattN] (PM me if request are blocking you) from comment #0)

Perhaps this is worth uplifting a hard-coded new unlocalized en-US string though I don't know what our locale breakdown is.

I don't see how an explanation in a language you don't understand would make things better, if users fail to understand a localized message (albeit how potentially unclear that might be).

I meant to only improve the string for en-US users since we don't need localizers for that.

Duplicate of this bug: 1636131

A few questions:

  1. Please confirm date when we are trying to land this. Is it soft code freeze May 28?
  2. Are we just changing Windows string at this point? Not MacOS?
  3. Are these the only 3 contexts in which string will show: User is trying to edit, copy, or show a password?
  4. Do we need a single string to accommodate all of these contexts or can we have variations?
  5. What happens once user enters their login? On Chrome, there is an option to select "Okay" but we don't seem to have a confirmation button.
  6. Is asking the user to enter their credentials a requirement from Firefox or from Windows?
Flags: needinfo?(MattN+bmo)

(In reply to Meridel from comment #4)

A few questions:

  1. Please confirm date when we are trying to land this. Is it soft code freeze May 28?

We would like this string ASAP so we can potentially uplift to beta, though we wouldn't get localization on beta. It would only replace the en-US string.

  1. Are we just changing Windows string at this point? Not MacOS?

macOS doesn't allow us to change the string. On macOS we can only provide the "reason" and the operating system inserts this into their string. Therefore, this request is for Windows only.

  1. Are these the only 3 contexts in which string will show: User is trying to edit, copy, or show a password?

Yes

  1. Do we need a single string to accommodate all of these contexts or can we have variations?

We can have variations.

  1. What happens once user enters their login? On Chrome, there is an option to select "Okay" but we don't seem to have a confirmation button.

I'm not sure what you're seeing on Chrome where there is an "Okay" option. This is effectively the same dialog that Chrome users see, albeit with a different description. When a user enters their password, they must hit "OK" to proceed. If they are prompted for their PIN, the prompt will close once they type in the correct PIN and they will not need to hit "OK".

  1. Is asking the user to enter their credentials a requirement from Firefox or from Windows?

This is a requirement from Firefox, using functionality built in to Windows.

Flags: needinfo?(MattN+bmo)

How about this? It will cover all contexts and all Windows log-in types. We should also run this by legal once we are happy with it:

For your security, enter your Windows sign-in to manage your Firefox passwords.

Flags: needinfo?(jaws)

(In reply to Meridel from comment #6)

For your security, enter your Windows sign-in to manage your Firefox passwords.

As a translator, I confess I wouldn't know what "sign-in" stands for. Is that a common reference in English for Windows?

Yes, I am struggling to find a good catch-all term for all of the Windows options (pin, password, facial recognition, etc.). How about:

For your security, enter your Windows login to manage your Firefox passwords.

Is "credentials" or "login credentials" too formal in the context?

For your security, enter your Windows (login ) credentials to manage your Firefox passwords.

Thanks, Flod. I thought so initially but I think it does make this clearer. I don't think we need the parentheses.

For your security, enter your Windows login credentials to manage your Firefox passwords.

Do we need to be perfect here? Chrome uses "Google Chrome is trying to show passwords. Type your Windows password to allow this." even when showing the PIN prompt.

I wish we had statistics on the prevalence of PINs but they are not a default setup and we know most users never change their default. Can we trust that users who know how to set a PIN will understand that a PIN will work even when the text asks for a password? Will this more basic text help the users who don't know about PINs more than the "correct" text?

Flags: needinfo?(jaws)

Hey Jared, the goal of the recommendation, and the discussion with Flod, is not to be perfect, but to find the best way to communicate clearly what the user needs to do. In response to users confused by the PIN request, I'm suggesting we use a broader term than "password" here—i.e., login credentials. I am recommending we include the 'why' here (this is for your security) so users (who are showing they are annoyed by this prompt) get an idea of why this check is required. Here is my final recommendation:

To manage your Firefox passwords, enter your Windows login credentials. This helps protect the security of your accounts.

Michael, can you please review the above string? Thank you!

Flags: needinfo?(mfeldman)

Thanks! Note we would like to adjust the string for the various entry points. Are you OK with these tweaks or should we use the same string for all entry points?

  • To view your Firefox password, enter your Windows login credentials. This helps protect the security of your accounts.
  • To copy your Firefox password, enter your Windows login credentials. This helps protect the security of your accounts.
  • To edit your Firefox password, enter your Windows login credentials. This helps protect the security of your accounts.

Note that making "password" singular introduces some confusion of "Firefox Account password vs website password". Would you prefer that we use your original string in all cases?

Flags: needinfo?(mwalkington)

I was trying to make things easier for y'all with one string-fits-all, but if we can be more contextual with multiple strings that's great!

Since the user sees the message when they are in about:logins and right after attempting to access a password, we can remove the "Firefox" mention. Let's go with these:

To view your password, enter your Windows login credentials. This helps protect the security of your accounts.
To copy your password, enter your Windows login credentials. This helps protect the security of your accounts.
To edit your password, enter your Windows login credentials. This helps protect the security of your accounts.
Flags: needinfo?(mwalkington)

Michael, strings updated since I NI-ed you. Can you please review?

To view your password, enter your Windows login credentials. This helps protect the security of your accounts.
To copy your password, enter your Windows login credentials. This helps protect the security of your accounts.
To edit your password, enter your Windows login credentials. This helps protect the security of your accounts.

Note for whatever dev. implements this that the new string ID should be Windows-specific (like the mac one)

Fine with me.

Flags: needinfo?(mfeldman)
Assignee: kcaldwell → jaws

(In reply to Meridel from comment #15)

To edit your password, enter your Windows login credentials. This helps protect the security of your accounts.

Note, I would like to change this one to:
To edit your login, enter your Windows login credentials. This helps protect the security of your accounts.

Since this is shown when the user wants to make an edit to their login, not just their password.

Good catch. That works, thanks. (Apologies—in a work week so I'm moving fast and missed this).

Pushed by jwein@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ded8b9faf516
Update the strings for the OS auth prompt to make it clearer that the requested password is the OS password. r=MattN,fluent-reviewers,flod
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 78

(In reply to dickvl from comment #23)

How about Credit Cards ?

Credit Card autofill is disabled by default for everyone. Bug 1624646 is on file to fix the macOS string.

There was recently a question about this on SUMO where a user had enabled autofill

Windows Security "Firefox is trying to use stored credit card information. Confirm access to this windows account below." Why am I getting this recently? | Firefox Support Forum | Mozilla Support
https://support.mozilla.org/en-US/questions/1286399

I have verified this issue and the strings are correctly displayed and updated when trying to show, copy, and edit a password. I have verified this issue using the latest Nightly 78.0a1 (Build ID: 20200510212656) on Windows 10 x64, Windows 8.1 x32 and Windows 7 x64.

However, we still have a scenario where the string is not updated. Since we updated for these 3 scenarios (show/copy/edit password) we should also update the string when a Master Password is created from "about:preferences#privacy" page. I have logged this in Bug 1636909.
Considering this I will mark this issue as verified and will track the string from the Master Password in Bug 1636909.

Status: RESOLVED → VERIFIED
Regressions: 1636820

Comment on attachment 9146877 [details]
Bug 1636032 - Update the strings for the OS auth prompt to make it clearer that the requested password is the OS password.

Revision D74455 was moved to bug 1638908. Setting attachment 9146877 [details] to obsolete.

Attachment #9146877 - Attachment is obsolete: true
Attachment #9146877 - Attachment is obsolete: false
You need to log in before you can comment on or make changes to this bug.