-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Sign up verification codes instead of verification links #457
Comments
cc @bbangert and @johngruen for the work you are doing too. I think this could simplify those flows for users who do not already have an account. |
Here's the conversion % after the email is sent, Lockbox codes vs. Links. They appear to be pretty comparable, though I would caution that Lockbox users are probably more competent than the average FxA user (not that I'm biased). @shane-tomlinson |
It's worth noting that Google now uses codes to verify new accounts. It's
become frowned upon to encourage users to click on links delivered by
email. Codes are safer from this POV.
…On Wed, Mar 20, 2019 at 10:54 AM Leif Oines ***@***.***> wrote:
Here's the conversion % after the email is sent, Lockbox codes vs. Links
<https://analytics.amplitude.com/mozilla-corp/chart/dib5asr>. They appear
to be pretty comparable, though I would caution that Lockbox users are
probably more competent than the average FxA user (not that I'm biased).
@shane-tomlinson <https://github.com/shane-tomlinson>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://github.com/mozilla/fxa-auth-server/issues/2981#issuecomment-474867358>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAEKdf2zRF-xxzLdku9_RIxslCiH2AQGks5vYkumgaJpZM4b_EJU>
.
--
Ryan Feeley // Toronto
Staff Designer // FxA & Sync
IRC & Slack: rfeeley
|
I'll also add that this becomes more important as we bring on more non-brower services, because we expect more users to be signing up through a web-based OAuth flow, and need to do everything we can to keep them from diverging off out of that funnel.
We'll also need to consider the password-reset flow in this case. If there's general interest in moving away from links and towards codes for all our emails, I would be very happy to collaborate with someone on a concrete proposal for how to do this on top of TOTP, help with secreview etc. |
Coming from a meeting, SUMO brought up codes and how they would really like that we have this for launch. |
The signin code flow also received positive reviews from Lockbox and Reference Browser teams recently, FWIW.
Which is when? :-) |
May |
Ref https://bugzilla.mozilla.org/show_bug.cgi?id=1543160 for an example of where codes would be superior to links from a safety perspective. |
@shane-tomlinson I tentatively put this for train-137 since it lines up approximately to SUMO's migration to FxA. I'll try to work on a feature doc with @ryanfeeley but ultimately, let's do what we're doing with Lockbox everywhere. Do we have a similar bug open for logins? |
Ref https://bugzilla.mozilla.org/show_bug.cgi?id=1543160 for an example of where codes would be superior to links from a safety perspective. |
So a few more notes on how I see this playing out. When sending a verification email, rather than making a link containing the high-entropy secret key, use it as input to the TOTP algorithm to derive a short-lived secret code. That's the easy bit. When verifying the short-lived code, you need to know how to look up the corresponding high-entropy secret key. This probably means making AFAICT the same technique should work with I've been thinking about this on-and-off and trying to poke holes in the scheme, but it seems like it would all hold together to me. We'd have to get security folks to check it for us as well though :-) |
@ryanfeeley - here are my engineering driven designs. Sync flowOAuth flowPerhaps the "Enter your code" screen should say which service the user is signing into? |
@davismtl @ryanfeeley -- any progress on that feature doc? It would be good to get this in the next sprint or two for Rina. |
Looking pretty great! Some nits:
|
@clouserw Diane has started working on one: |
@irrationalagent / @shane-tomlinson The data shows that links have actually been out-performing codes for login completion. Interestingly, retention of "link" users > "codes" users as well. Retention Analysis Should explore causes behind this to improve code verification experience for the new FxA flow (i.e. UX changes?) |
Quick breakdown of engineering items from https://docs.google.com/document/d/1i003YoL4cchn8fOpA9yb0ntnD-rHhq4zO-WMyX6Y_IE/edit#heading=h.j4ues9d2p7up
|
New related issues after user testing this feat:
Keeping all our resources in one place: |
Closing this here because all of the development parts for sign-up codes have landed. Bugs from QA will be filed as new issues. |
The current signup verification flow requires a user to exit the FxA flow and open a verification link from their email.
This causes several problems:
For Lockbox, we ask users that are signing in to copy a short "confirmation code" from their email into a screen on FxA to ensure that users make it back to FxA to sign in. Perhaps @irrationalagent has some details on signin performance of codes vs links that can help guide prioritization.
@rfk wrote some comments in an email that I'm copying here:
@rfk has also expressed an interest in getting this for Fenix.
cc @davismtl, @ryanfeeley
The text was updated successfully, but these errors were encountered: