Decrease sign out frequency
M
Maxaroni
I agree with you but I also agree with mrq02. Perhaps leave it up to the user as to how often they want to be logged out almost as windows does but with sleep mode.
Jeremiah Owyang
I agree with some of the other commenters, please use facial recognition or biometric for rapid sign in.
mrq02
I disagree on this one. I agree that it is a bit inconvenient to have to log in every time I visit the site, but since money is involved, I consider Rally.io to be more like a bank website than, say, Twitter or Facebook. With access to money, I would prefer that the session be short; that way I don't have to worry about someone else who has access to my computer being able to get in and empty my account.
Walt Collins
mrq02: I agree with you. A little paranoia is warranted here, especially considering the sums of money involved. I am willing to put up with the inconvenience of clicking a couple extra buttons to login again, in order to further safeguard my funds.
Chris Messina
Walt Collins: I think about this differently. Just like with Metamask, if I'm going to complete a risky or high value transaction, I am required to reauthenticate. For basic use, — in my case, checking my coin price or recent activity — if I signed in within the last XX days, I should have a warm cookie to allow me that access.
How often do you guys access the site? I was visiting daily but recently my use has declined because of the friction. If you were accessing the site every 2-3 hours and had to sign in every time, would your use stay frequent?
Walt Collins
Chris Messina: yes, I access the site every 2-3 hours and have to sign in every time. But I have a lot at stake in the rally system. I could see that for more casual users it would be a nuisance. Maybe a hybrid system is warranted, where there's a longer authentication timeout for "view" transactions.
Chris Messina
Walt Collins: right, a more sophisticated way of evaluating risky vs less risky transactions and escalating authentication requests would make sense.
I'd also appreciate support for hardware token auth now that browsers support it.
Phil McCluskey
Chris Messina: Stripe has a nice pattern that's similar to this and probably has a similar threat protection profile; you stay signed in, but need to reconfirm your credentials depending on what actions you're taking. If you don't reconfirm then those actions aren't available to you.
Chris Messina
Phil McCluskey: Yep, would be totally satisfied with that approach.
Meta4ickal Komikz
Im behind this!
Alex Phelps
Agreed!