Closed Bug 856150 Opened 12 years ago Closed 11 years ago

Inform users that their account will be locked for 5 mins after entering the PIN incorrectly too many times


(Marketplace Graveyard :: Payments/Refunds, defect, P3)



(Not tracked)



(Reporter: krupa.mozbugs, Assigned: wraithan)



(Keywords: uiwanted, Whiteboard: p=1)


(2 files)

If the user enters their PIN incorrectly 5 times, we log them out and lock their account for 5 mins. The user needs to relogin using Identity or Reset their PIN.

If the user logs in within the next 5 mins, they are still locked out. We need to convey this information to them so that they can try the purchase later.

A screen which says "You are locked out of your account for 5 mins for your own safety" or some such thing will be useful.
Maureen, would it be easy to adjust the UX mock-ups for this?
Keywords: uiwanted
Priority: -- → P3
Whiteboard: p=1
Ok, here is my solution. I changed the original flow a bit. After the user has entered the pin incorrectly 5 times I show a system error message. When the user clicks "Ok" I take them back to the app details page (no sense in taking them to Persona sign in when they need to chill out for while). If the user tries to sign in < 5 minutes I show a similar sys error and send them back to app details page. Below are the flows. Let me know if this works and I will fold it in to the full pin codes document in this bug:


Your mock says "User tries to purchase app in > 5 minutes" but then talks about the user being locked out still, I think you meant "< 5 minutes".

You assume they want to reset their PIN after logging back in after the lockout duration is up. Is that reasonable? Shouldn't we perhaps give them the option of trying another 5 times or resetting (using the normal PIN entry screen). 

I can implement the flow as it is mocked but I worry about the assumption made.
Changed to < 5 minutes :)

I think we should take them directly to reset their pin as I'm fairly certain this is a best practice with passwords and the like. So please implement as mocked.
(In reply to Maureen Hanratty from comment #4)
> Changed to < 5 minutes :)
> I think we should take them directly to reset their pin as I'm fairly
> certain this is a best practice with passwords and the like. So please
> implement as mocked.

This was discussed in #b2gpay and here is a quick summary:

Dropping users in the reset flow can be confusing if they locked themselves out a month ago and don't remember why we are forcing them to reset their PIN.

Here is the new agreed-upon solution-
i) If the user tries the flow < 5 mins, we show the system error as specified in comment 2

ii)If the user tries the flow > 5 mins, we show them a screen which says something like "Your account has been locked for incorrect PIN entry. You can either Sign in and try again or reset your PIN to proceed"(better copy requested) -- "Reset PIN" and "Sign in". We show this screen immediately after the user clicks purchase or after they Sign in.
I changed the flow slightly from the last comment. Since in either scenario the user must sign in, I propose we take the user directly through the sign in flow when the user clicks "purchase" after 5 minutes. When the user would enter their pin we let them know their pin was locked and ask them if they want to continue or reset their pin. If they choose to reset the user will not be forced to sign in again. 

I have added this new flow to the documents in the meta-bug for UX changes to pin codes:
Assignee: nobody → wraithan
Blocks: 861134

Webpay side of this. Doesn't fix it until I do the solitude side.

Solitude side, completes the backend part of this. bug 861134 is to make it prettier and work like the mock.
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2013-05-30
It doesn't exactly match mocks (bugs filed for that) but this user message is now in place. See post-fix screenshot.
Attached image post-fix screenshot
You need to log in before you can comment on or make changes to this bug.