Article Description: Chenhao: How to design the "Retrieve user account" feature. |
Because of " Tencent account user Experience " a lot of people feel that the Tencent complaint is a world-class advanced, and let me come up with a user's account to retrieve the function. Originally do not want to write, because we look at other systems on the line, but, it is obvious that some people are very lazy, do not think, and will not observe, so I have to write down this popular science of common sense of the article.
Before writing, I have to thank Tencent's at least 30 employees in the "Tencent account complaint user experience" after the text of the post (I stfg (Search the fucking Google) to see you use the fixed IP in various University forum Tencent's job ads), I thank you for your two main points:
1, I am pleased that more than half of you have left Gmail instead of qqmail/foxmail emails.
2, you are working overtime to 11 o'clock in the evening when all can reply at this station, indeed, as your Andy Pan said, your core competitiveness is very strong, including the Navy.
OK, let me talk about this design formally. It usually takes three things to get the user account back: Mailbox, security question, mobile phone.
Email, security quiz, cell phone
Most systems use mailboxes and security questions, which is enough, many systems use mailboxes directly as account names (Apple Id,facebook, Sina Weibo ...). So, even if your system password is stolen, the account number is not changed, so you can use the mailbox to retrieve (note: These systems will verify your mailbox is correct). However, if you use the mailbox to do the account, will cause your mailbox to be exposed, so as to become the victim of spam, and if you also compare 2 of the password and account password set to the same, then it is quite a pit dad. So, but any system that uses the mailbox as the account number will not let the person see your registered mailbox, for example, people do not know my Sina Weibo account registered mailbox, even if you know it should be trusted to know (Sina Weibo account number of the mailbox address default visibility is "you care about people").
Here, Google Mail uses emails, security questions and phone. You can use one of these to retrieve a password. The most beautiful user experience of Gmail is that it prompts you to write the mailbox (the first letter of the company's mailbox and account name) and the phone (3 tail). MSN and Gmail are similar, will also prompt you to bind the mailbox, you can also use a mobile phone, you can also use your trusted PC, and through customer support (through customer support), collect your registration name, birthdays, country, security issues, used passwords, recently sent mailbox headers, contacts, etc. or the credit card information you have tied, but no ID.
The use of mobile phone is generally a relatively high security site, such as: Taobao, Gmail and so on. In this way, the use of mobile phone to retrieve passwords is also good. Because you register for security questions you may forget that your bound mailbox may also forget the password, and many Trojans can steal your computer security questions or email password, but these Trojans do not steal your mobile phone (note: In the mobile internet era is likely to steal your mobile phone information, But also can not steal your mobile phone number-can not like the mailbox to change a password to steal away. You will say that the phone is not lost, but you have to understand that your lost mobile phone, you can stop, you can use your mobile phone password card or ID card to restore your phone number. In addition, the advantage of using mobile phone is that my system does not need to receive your real information (such as: Name, ID card, address, etc.), these authentic information verification to the mobile operator to verify the good. In the program design, we call this kind of thing "decoupling". Amazon has a four-bit post through email and then through the credit card you've used, as well as billing postal code, if your mailbox changed, no problem, call Customer service, customer service will ask you the Money line card number and billing address, the advantage of E-commerce is that you can have a credit card or bank card to recover number. Because this--"decoupling" the real information of the user to the bank, and "coupling" and the security policy of the bank. Clearly, banks and mobile companies are more secure, and users trust them more. It is best not to collect the user's true information by yourself, if lost, you will be in trouble (you will be prosecuted abroad)
Here, you may have the question, if my account password is lost, then the thief will enter my system to change my mailbox, change my mobile phone, change my credit card and so on, that is not same? I want to say, for the mailbox and mobile phone, and the level of the password, you change the password, you have to enter the old password, so you change the mailbox and mobile phone when also use the old mailbox and mobile phone. About your bank card or credit card number, even if you can not see (see only four tail), this will be anti-theft. Of course, people who steal E-commerce accounts will usually use your account to buy things, but it will encounter another problem, that is to face the bank's audit work--1 bank card through the bank's network of silver, the bank's security system will help you audit. 2 credit card verification and signature verification, but also allows the merchant will help you check the credit card signature is correct.
Some people say that the QQ account appeals process "Wonderful" is the other as much as possible to collect your information, so that it is safe, because the password is easy to be stolen, and your so much information is not easy to be stolen. That's only half the way to know. The real security system is a security system that is coordinated with the entire society. Instead of doing everything on their own (of course, we all know that Tencent's DNA is all about their own, even the FBI and the CIA is already engaged in the matter), what they are not safe.
Other discussion Q&a
Question one: Through the complaint to retrieve the account by the unreliable?
It's obviously not reliable and it's stupid. This has become a hotbed of malicious people. How foolish it is that others can invalidate a normal person's account by appealing to them. (My QQ account is not the same as the two days before the attack?) )
Question two: Restore the account through the contact is not reliable?
Not completely reliable, because your QQ will always have strangers plus you, your mailbox contact person will have some you are not trusted. Those people may be the attackers ' trumpet. So, if you want to pass the contact person, do not like QQ or MSN Pit Dad's practice, let the user to choose. It's like Facebook's approach--the system randomly picks people up for you to recognize.
Question three: Setting up a trusted contact at registration is not reliable?
Seemingly reliable, but personally feel still a little problem. Because the trustee through electronic information can not distinguish is I or the thief, but also the trustee actually contact each other. It's like when we're in the phone number, write the words father, mother, so that when the malicious person took your phone, you can blackmail to your family, because it can directly call out the other side of the person and the victim's relationship.
Question four: When you restore the account number of users to collect the real information rely on the unreliable?
It depends on what the situation is. If the user provided this real information at the time of registration, it would be a reliable, if not very unreliable. Just imagine: When you go to the bank to deposit money, the bank did not let you show your ID card, only let you set a password. Then I can use my id to reset your password. Do you think this thing is quite a pit dad?!
Question five: Small white does not understand the mail, does not understand the security question, does not understand binds the handset ah?
Then use the patient customer service to teach these little white (see the practices of institutions such as banks)-force users to enter more than 8 passwords, it is mandatory to use U shield to make large transfers, and to improve their ability and awareness of safety, when the set of things to form social standards, the security will really come. Security is a matter of both sides, only people have security awareness, can do well. Rather than indulge the user. Or Henry Ford's words-"If I ask the user what they want, the user will say he wants a faster horse", so there will be no car in the world. QQ should not be a driving role in reducing the awareness of user security.
Question six: What was my experience like?
I am basically not on QQ, I QQ are friends and students force. Because last Thursday I want to write a little about the user experience of reading things, so I just want to look at QQ, the results found on the not to go, said that the account was complained, let me complain, I guess the first release of the article on Tencent has relations. I have 1999 years to register this QQ number has not submitted any ID card or address system and other things, I have been binding mobile phones, about 5 years ago bound.
So in the process of the complaint process, Tencent said the binding of the mobile phone has not been verified, I remember once I used my Hotmail mailbox replaced my QQ number, but these in front of the complaint can not be used. And I felt that Tencent had no way of knowing if the information I was submitting was real, and because I used to help friends registered QQ number (I these friends are Tencent employees said small white users), so, I use some look more real but the actual is false information, and help people register these QQ number of successful complaints back.
Some netizens said I can not tell the difference between the password and the appeal, I want to say here, you clearly bound the mobile phone, but when you send a text message is told that your phone has not been verified. That's a lot of crap.
Then, I realized that the QQ complaint process is quite unsafe. About some details, we also asked our Tencent staff @larry students to give us more details.
Question seven: QQ also what kind of pit Dad's use case?
Two friends in the reply mentioned two interesting comparison pit dad's use case.
@gqjjqg said that he had a friend was a malicious complaint, and a period of time and the malicious complainant to the back and forth to complain about the QQ number, for one months did not fix. Finally, a settlement was reached with the malicious complainant.
@Jack Yang said that he had a friend online to buy a QQ number, not a few days before the complaint back (after all, it was used by others), and then they continue to sell, how to complain are not returned. Want to cry no tears.
Visible, in the QQ complaint process, what secret security, what mobile phone binding, has become a cloud.
(If you have any more questions, I can continue to update and answer your questions)
I hope you now understand that Tencent's account appeal process, it looks so, is actually a flawed. Of course, I can not say that Tencent is stupid, because people make such a big business, I can only say that people are in the next plate of a big game ...