SSO: set option when someone sees a JITM helping them to discover SSO. #10979
Conversation
jeherve
added
[Type] Enhancement
|
Thank you for the great PR description! When this PR is ready for review, please apply the Scheduled Jetpack release: January 10, 2019. |
jeherve
force-pushed
the
add/sso-first-time-notice
branch
from
e879b54 to
ee7fa63
Compare
Fixes #10692 - At first SSO login, set an option - If that option is true, display an SSO JITM. - Once the SSO JITM has been displayed, set the option to false so it can never be displayed again
jeherve
force-pushed
the
add/sso-first-time-notice
branch
from
ee7fa63 to
33e809e
Compare
|
D22373-code. (newly created revision) |
jeherve
added
[Status] Needs Review
jeherve
added
the
[Status] Needs Design Review
There was a problem hiding this comment.
JITM shows up correctly, but I have some notes:
- The copy in the banner feels very weird to me. We mention “signed in”, “sign on”, “Logging in”, “log-in”, and “sign in” in just two sentences — this could use some simplification. @michelleweber Could you give us a hand with this copy, please?
You've successfully signed in with WordPress.com Secure Sign On!
Logging in with the same log-in credentials you use for WordPress.com ensures you always sign in to self-hosted WordPress.org sites quickly and securely.
- The
Learn morebutton redirects tohttps://wordpress.com/plans/[site_url].
keoshi
added
[Status] Needs Copy
[Status] Needs Copy Review
|
You've successfully signed in with WordPress.com Secure Sign On! A question, though -- I don't understand why we need the second line of text here. If they see this after they log in using SSO, that means that they have enabled SSO. So why do we need to sell them on its benefits if they're already using it? |
- Separates JITM building from the function that overwrites exisiting JITMs. - Clean up and update comments.
|
Thanks @michelleweber!! I think the goal is to reinforce the benefit, highlighting the provided value. |
keoshi
removed
the
[Status] Needs Design Review
With that in mind, I almost preferred the original copy for that second sentence, since it was doing a bit more than just describing the feature; it was listing an additional advantage you would get since you turned that function on. |
|
I don't disagree, @jeherve — the copy just feels very dense and technical to me in addition to very inconsistent with the “sign in/on, log in/-in” language. |
|
Honestly, I'd delete the line entirely and just have the success message. The quasi-promotional tone feels off to me here since the feature is already enabled. At most, I'd do a second line along the lines of "Interested in learning more about how Secure Sign on keeps your site safer?" and linking to the details to make it educational. If it's important to you to keep it, I'd still use the rewritten line, which says the same thing as the original: you get to use the same credentials, it's fast, it's safe. If you prefer the original, that's fine; I'd just shorten the first part of the sentence to the simpler "Signing on with your WP.com credentials..." And be consistent re: sign on vs. sign in. |
|
Thank you! I've updated the notice accordingly:
|
|
I deployed D22220-code to add the link to the SSO support page. |
jeherve
added
[Status] Has Changelog
and removed
[Status] Needs Changelog
[Status] Needs Copy Review
* Add first version of the Changelog and testing list for 6.9 * Changelog: add #10710 * changelog: add #10538 * changelog: add #10741 * changelog: add #10749 * changelog: add #10664 * changelog: add #10224 * changelog: add #10788 * Changelog: add #10560 * Chanegelog: add #10812 * changelog: add #10556 * Changelog: add #10668 * Changelog: add #10846 * Changelog: add #10947 * Changelog: add #10962 * Changelog: add #10956 * Changelog: add #10940 * Changelog: add #10934 * Changelog: add #10912 * changelog: add #10866 * changelog: add #10924 * Changelog: add #10936 * Changelog: add #10833 * changelog: add #10867 * Changelog: add #10960 * Changelog: add #10888 * changelog: add #10840 * changelog: add #10972 * Changelog: add #10979 * changelog: add #10909 * Changelog: add #10958 * Changelog: add #10981 * Changelog: add #10564 * Changelog: add #10809 * Changelog: add #10982 * Changelog: add #10706 * Changelog: add #10978 * Changelog: add #10132 * Changelog: add #11022 * Changelog: add #11024 * Changelog: add #10875 * Changelog: add #11030 * Changelog: add #11053 * Changelog: add #10880 * Changelog: add #9359 * Changelog: add #11037 * Update block list * Changelog: add #11060 * Changelog: add #10755 * changelog: add #11000 * Changelog: add #10786 * Changelog: add #10945 * Changelog: add #10597
|
A jitm wasn't exactly what came to mind to address @annezazu's original concern here. I don't fully recall the original concern, but I kind of feel like the right place to reassure someone in using SSO is when they turn on the setting. If they managed to finally login using it, there seems no value in showing them a message linking them to a support document that explains something they presumably already know. Can we remove this jitm? |
|
@rickybanister your notes from your original P2 post (p6TEKc-2m8-p2, item 5.17):
You can view @annezazu's original suggestion about this in her demo video at 13:26. |
|
Yes, I reread my note from the thread. I'm not sure that the feedback from @annezazu and the root problem are solved by a just-in-time-message after login has happened. When I reviewed this PR (albeit very late) I noticed that the experience is sort of like:
Upon thinking about this further I don't find that flow to be more reassuring. Perhaps there is work we can do in settings to better explain SSO and also on the SSO auth screen (a big lock icon perhaps). We also don't do much of anything to make it easy to activate 2fa, even though we make it easy to require it. Those are areas I feel we could provide more impact and reassurance. I'm reminded of Google's approach to security audits—every six months or so they log you out and after you log back in your session is hijacked and you're forced to reconfirm your personal information and verify certain details to keep your account safe. It feels like a lot, but I feel like they have my back as far as security goes. |
I would assume that most site owners actually enable SSO as part of Jumpstart. They consequently don't really know they are enabling it, they are just clicking a button to enable all our recommended features. |
Fixes #10692
Changes proposed in this Pull Request:
Testing instructions:
Note that for the CTA link to work, we still need to add the link on WordPress.com (see discussion in D22220-code)
Proposed changelog entry for your changes: