When I did phone support for the fruit company there was a woman who would come back to me time and again with roughly the same issue.
She had some form of extreme palsy, and her kids lived on a different continent.
What she needed, was someone to talk to her as she tried to input her password the 10 or so times it would take her to get it entered correctly.
If she did it herself, she would become unsure that she was using the correct password, and give up because she was second guessing herself.
If she asked a nurse to help, the nurse would need to bail halfway through the process and address some other requirement.
In a separate incarnation, I was helping a 90 year old gentleman, who was providing free legal support for the organisation, to log on to his laptop. We had a 60 day password reset cycle. This gentleman would only attend the office every month. So every other visit required a password reset. He would berate me as he went, like the guy was a massive d bag. But my understanding was that he had chronic arthritis in his hands, so this process was very painful for him.
I think the best workflow would be to use login codes and eschew passwords entirely. Definitely dont have mandatory password resets. I think the initial Passcode enrollment step might rule passcodes out but I have only really dealt with them on the MS side.
That said, you need a really good non password backstop for login codes, because in my experience, elderly people tend to replace phones/numbers/laptops/email addresses quite frequently too. I used to keep a folder in my password vault for my grandmother so I could recover her email/facebook, but not before she ended up with 3 email accounts and facebook pages.
Biometric Authenticator App? IE key recovery / load to a new phone is biometric, but otherwise it just prompts a 6 digit code on login? I think younger generations have a better sense of "I am X, but my email controls Y" where older people are like "I am me, so give me my emails" and something that is unequivocally "Me" like biometrics might be the best way to meet them where they are.
On forced password resets, the NIST guidelines are clear. But alas, this kind of news travel very VERY slowly it seems. Even the large organisations that "care deeply" about security seem to miss the memos. Gets my goat all the time.
Thanks for the real world stories on people who are actually, physically challenged.
I help my grandparents out with computer stuff quite a bit, but I live far away, so I usually have to help over the phone. So having an interface that you can easily describe over the phone is pretty important to me.
When I try to sign in to most apps on my TV, it usually displays an code that you can type in on another device so that you don't have to type in a long password using the D-pad on the remote. Could you maybe implement something similar for your website? This way, my grandmother could just call and read me a code, and then I could handle the sign in remotely. As long as you only need to sign in ~once a year, this would be my preferred option.
Not all seniors have trusted friends/family who can help them, but lots do, so making it easier for the helpers will in turn make it easier for the seniors. Plus, there's no phishing risk for the senior with this method, so it's a relatively secure option too. (There is a phishing risk for the helper, but presumably they're the least vulnerable person in this scenario)
I've spent a lot of time helping my 80 year old neighbor with life tech tasks. I've noticed that she seems to be okay with usernames/passwords as long as they're in her password book.
But the site layout can make entering the credentials near impossible. For example, on the login page of the California DMV https://www.dmv.ca.gov/portal/mydmv , the form submission button is below the fold on her 720p laptop. She has to scroll down the login page to log in. She often asks what she should do next because she can't see the button!
If the password isn't in the book we have to go through the forgot password flow. That's usually fine because her email works, but it's offensive to have to log in again after we've reset the password. It's painful to watch someone type these modern passwords, but it's cruel type it three times in a row: once to enter the new password, a second to confirm it, and then the third to actually log in. I'd much rather have the emailed magic link log me in rather than take me to the password reset page.
I often wish that companies would:
0. not actually require account creation (I can walk up to the DMV counter; why do I need to create a password to do it online?)
1. stick to a simple, well established authentication pattern
2. make the buttons large enough
3. make all of the relevant information visible without scrolling on a 720p laptop (with too many pixels taken up by Chrome's tab bar, Windows' task bar, etc.)
4. not have clickable things to sidetrack us (your survey? chatbot popup? an ad? all nightmares)
I think the key for Facebook (and Amazon) are your 2nd point. People login once, and likely never again.
I got my mom, who is in her 70s, a new TV and wanted to sign her into Prime Video. I asked for her Amazon account and she had no idea. I think she said something like, “I don’t have an Amazon account, I never have to login. I don’t even know what it would be.” She has been a Prime member for a decade and hasn’t had to login for so long that she forgot she had an account. It took both me and my sister telling her she must have an account, and listing the reasons why she must have an account, to jog her memory or simply convince her that this was a reality.
This creates a different problem. People forget passwords, lose account info, and when they do need it the recovery is that much harder. Apple Keychain has saved the day with my mom several times.
I was a 1Password user for about 18 years (recently migrated away), and it would ask for your master password every 2 weeks and this is why. If you only have one password, you better remember it. If people only have to login once, they’ll forget. There were a couple times over the years when I drew a blank on what it was and got kind of worried. I also always worried about what would happen if I had some kind of head injury, as I never wanted to actually write that password down anywhere.
Login is probably the number 1 issue I have seen with old people. They generally have a book of passwords where most of them are simple or reused. And if they get logged out it's a nightmare to get back in.
I'd suggest not having a password at all. Either use SMS/Email codes, or Passkeys.
While on that note, same thing with Nextdoor. You do see a lot of older folks accidentally posting stuff there, though, and it’s a good lesson for what not to do also
I can relate because my dad is 84 and he really struggles with simple things like entering a password to sign in to Gmail. He forgets what he did last time and so I'm back to explaining how moving his mouse causes the pointy-arrow thing move around on the screen, to get it pointed at the wide rectangle near the middle of the screen, etc. No UI library is going to solve his struggles.
I solved most of the sign-in problem for my dad by picking a simpler browser than Google Chrome, and by tweaking his browser settings to be just-so. That's not going to be much help for you, the website creator...
Maybe allow passkeys for login? These days, passkeys usually get stored/supplied by the underlying OS. (By usually, I mean that's the statistically most common source of the passkey today. They can also come from a browser plugin or a hardware key.)
I like the AAA WCAG recommendation. I'd also recommend from my casual experience listening to lots of old people...
- a large font size by default, and maybe a font size slider on the homepage. Test everything at 200-300% scale as WCAG recommends
- don't change the UI! Or change as little as possible, at least for existing users. Which kinda upturns the whole always-updating nature of web SaaS but I think it can be done
- hire a good designer who can streamline your UX and screens and keep only the bare minimum features
- maybe offer human support? Like a phone number? Probably unreasonable for you tho
Wish I had ideas for simpler login and auth.
Have you found any successful design strategies in your 10 years? Any insights from user testing?
Instructions on how to create and use a bookmark can help as far as the domain/getting to log in goes. I know nobody RTFMs but if they've got instructions they can follow for that, they'll only need to read it once (hopefully). Hopefully, that will reduce the level of frustration before they try to log in.
Is your product a simple TODO list? Is it a health diary with loads of sensitive information? Is it for storing nuclear codes? Is this something users typically use on shared computers? On their phones? When you consider whether or not some of the other commenters' suggestions for reducing complexity of authc and potentially account recovery are reasonable, you need to keep that context in mind. It's hard to make decent suggestions without that context, imo.
Check WCAG's recommendations around accessibility. Start with cognitive and vision, and make sure to check out sections around designing and interacting with forms, but make sure to have a browse around broadly.
The UK government's style guides have some thoughtful advice around usability and accessibility. [0][1]
I know it is not fully in the scope, but I will describe my case, and I hope that this will give you some ideas and hits.
I am working on an application that monitors elderly people in non-intrusive way. Their children install the application on their device and they do nothing with it. It follows the 'install and forget' principle. Don't bother them for anything. No notifications, no need to open it. If opening is needed, it is because they are curious, not because it is needed. All the information/notifications goes to their children.
You can think in that direction. Can you make it a desktop application? In that case, you don't need authentication. It is actually simpler for them, because, instead of opening the browser, typing the URL, they just double click the icon.
You can make a update mechanism that silently adds new features and bug fixes.
Some control can be added automatically from a server, so that they don't need to do anything.
The main problem here is, when they search for attention. I understand them and being respectful and giving them attention is a good thing, but from software support point of view, this is hard to be minimized.
A valuable approach is to aim for AAA WCAG conformance. Obviously it isn't a perfect way to go about it and there are other considerations here, but at level AAA you're more likely than not ensuring an extremely clear and usable interface.
My Dad could never build the metal model to understand that common concepts like copy/paste would work almost identically across different native Windows applications; "How do I copy/paste in an email?", "How do I copy/paste in a Word document?", "How do I open a file in Excel?", "How do I open a file in Word?".
The lightbulb just never went on in his head. And this was in the 90s and early 2000s when developers at least used MFC - probably the period of peak UX design.
Things have now gotten so much worse since then. Now, I struggle to remember how to add an attachment in MS Teams, which I use every day.
My dad is in his 80s. He keeps careful notes on how to use devices like tablets and TVs. There might be a touch of engineer-brain at work here, but the struggle is very real. He generally wouldn't take in all of the text and symbols on a screen if there is a lot of going on, or might get hung up on the wrong parts of it. He generally wouldn't find a modern interface at all "intuitive".
Any change to an interface is going to disrupt this, so one thing would be to change the interface only very rarely and carefully.
2. allow login via magic link via email, after login the jwt/cookie/whatever should have no expiration date
3. (optional) allow one user to have multiple emails + merging accounts/users (call it backup email to collecr multiple user emails in advance, soft nudging only, not mandatory to use the product!)
4. (optional) offer any other way to login (un+pwd), google oAuth…
I wonder about a scheme using public key encryption where a scannable code (public key of the pair) is displayed on the log-in screen, where one has an app on a phone that can match it and send an authorization to the site for login.
Moves the complexity to unlocking a phone and starting an app.
I wonder about a scheme using public key encryption where a scannable code is displayed on the log-in screen, where one has an app on a phone that can match it and send an authorization to the site for login.
Moves the complexity to unlocking a phone and starting an app.
Make no changes to UI. That's probably the main concern for seniors. In addition to usual accessibility requirements, but those should be implemented by default for everyone.
Save their auth in local storage (or a bookmarked url) and don’t make them login again once they are setup? And buy an easy to remember domain name for your app.
I am really interested in the concept of elder/senior citizen technology. The basic design concept for them is answering "what am I looking at?"
I created this tool (https://anftr.com/) for some of my ex-colleagues in their early 50s who were trying to navigate the world of office software. They were struggling with Microsoft Word and Excel, and I have seen them yell at ChatGPT and bash their mouses constantly, hoping the computer will load files faster.
Essentially, you focus on text and video demos. The foundational design concept for elder tech is providing clear instructions and minimizing interactions.
If you want them to sign in, you should not require them to press a button more than two times.
To address things they tend to forget, consider a human custodian or "IT concierge" model, please. The reality is that after a certain age, people really struggle to learn new things and prefer talking to a person for help. Technology has its limitations.
If you are working with users aged 50 to 80, provide them with a phone number and charge a subscription for the service or a one-time payment. It might be borderline exploitative, but I have noticed that elderly individuals want a "solution" rather than a lesson.
You explain how to do something, and if they are eager to learn, they will. You offer them a solution either way. Please do not create a monetization model for this custodian service and keep the charge as low as possible.
The money you receive from this serves purposes: it is designed to help them second guess and try to help themselves. If you do not charge for something, they will just keep asking you questions. When you charge for something, they perceive it to have more value compared to it being free.
Do not prioritize ease of operation that compromises their security.
Masked passwords were boring when passwords were typically 'goeagles' but now they're 'Justlongenough22!' they're a real barrier to anybody who doesn't type the string multiple times a day.
If you really think that someone staring over the users shoulder is a genuine risk factor than allow people to turn it on, not (if the user is lucky) allow them to turn it off.
For people who struggle to understand authentication, surely they have no hope understanding the T&C that they promised every service they had read and understood. The honest thing to do is just not serve these people because they lied on the sign-up form.
But really, stop pretending users have agreed to your T&C when you know almost none of them did more than clicking enough buttons to enable the "I agree" checkbox.
I mean the UX is not having dementia and that's entirely another matter. I hate the idea that if you're old you can't use computers like a normal person.
60 comments
She had some form of extreme palsy, and her kids lived on a different continent.
What she needed, was someone to talk to her as she tried to input her password the 10 or so times it would take her to get it entered correctly.
If she did it herself, she would become unsure that she was using the correct password, and give up because she was second guessing herself.
If she asked a nurse to help, the nurse would need to bail halfway through the process and address some other requirement.
In a separate incarnation, I was helping a 90 year old gentleman, who was providing free legal support for the organisation, to log on to his laptop. We had a 60 day password reset cycle. This gentleman would only attend the office every month. So every other visit required a password reset. He would berate me as he went, like the guy was a massive d bag. But my understanding was that he had chronic arthritis in his hands, so this process was very painful for him.
I think the best workflow would be to use login codes and eschew passwords entirely. Definitely dont have mandatory password resets. I think the initial Passcode enrollment step might rule passcodes out but I have only really dealt with them on the MS side.
That said, you need a really good non password backstop for login codes, because in my experience, elderly people tend to replace phones/numbers/laptops/email addresses quite frequently too. I used to keep a folder in my password vault for my grandmother so I could recover her email/facebook, but not before she ended up with 3 email accounts and facebook pages.
Biometric Authenticator App? IE key recovery / load to a new phone is biometric, but otherwise it just prompts a 6 digit code on login? I think younger generations have a better sense of "I am X, but my email controls Y" where older people are like "I am me, so give me my emails" and something that is unequivocally "Me" like biometrics might be the best way to meet them where they are.
Just my 2 cents.
Thanks for the real world stories on people who are actually, physically challenged.
When I try to sign in to most apps on my TV, it usually displays an code that you can type in on another device so that you don't have to type in a long password using the D-pad on the remote. Could you maybe implement something similar for your website? This way, my grandmother could just call and read me a code, and then I could handle the sign in remotely. As long as you only need to sign in ~once a year, this would be my preferred option.
Not all seniors have trusted friends/family who can help them, but lots do, so making it easier for the helpers will in turn make it easier for the seniors. Plus, there's no phishing risk for the senior with this method, so it's a relatively secure option too. (There is a phishing risk for the helper, but presumably they're the least vulnerable person in this scenario)
But the site layout can make entering the credentials near impossible. For example, on the login page of the California DMV https://www.dmv.ca.gov/portal/mydmv , the form submission button is below the fold on her 720p laptop. She has to scroll down the login page to log in. She often asks what she should do next because she can't see the button!
If the password isn't in the book we have to go through the forgot password flow. That's usually fine because her email works, but it's offensive to have to log in again after we've reset the password. It's painful to watch someone type these modern passwords, but it's cruel type it three times in a row: once to enter the new password, a second to confirm it, and then the third to actually log in. I'd much rather have the emailed magic link log me in rather than take me to the password reset page.
I often wish that companies would:
0. not actually require account creation (I can walk up to the DMV counter; why do I need to create a password to do it online?)
1. stick to a simple, well established authentication pattern
2. make the buttons large enough
3. make all of the relevant information visible without scrolling on a 720p laptop (with too many pixels taken up by Chrome's tab bar, Windows' task bar, etc.)
4. not have clickable things to sidetrack us (your survey? chatbot popup? an ad? all nightmares)
And make it so they don't have to log back in frequently.
I got my mom, who is in her 70s, a new TV and wanted to sign her into Prime Video. I asked for her Amazon account and she had no idea. I think she said something like, “I don’t have an Amazon account, I never have to login. I don’t even know what it would be.” She has been a Prime member for a decade and hasn’t had to login for so long that she forgot she had an account. It took both me and my sister telling her she must have an account, and listing the reasons why she must have an account, to jog her memory or simply convince her that this was a reality.
This creates a different problem. People forget passwords, lose account info, and when they do need it the recovery is that much harder. Apple Keychain has saved the day with my mom several times.
I was a 1Password user for about 18 years (recently migrated away), and it would ask for your master password every 2 weeks and this is why. If you only have one password, you better remember it. If people only have to login once, they’ll forget. There were a couple times over the years when I drew a blank on what it was and got kind of worried. I also always worried about what would happen if I had some kind of head injury, as I never wanted to actually write that password down anywhere.
I'd suggest not having a password at all. Either use SMS/Email codes, or Passkeys.
I solved most of the sign-in problem for my dad by picking a simpler browser than Google Chrome, and by tweaking his browser settings to be just-so. That's not going to be much help for you, the website creator...
Maybe allow passkeys for login? These days, passkeys usually get stored/supplied by the underlying OS. (By usually, I mean that's the statistically most common source of the passkey today. They can also come from a browser plugin or a hardware key.)
- a large font size by default, and maybe a font size slider on the homepage. Test everything at 200-300% scale as WCAG recommends
- don't change the UI! Or change as little as possible, at least for existing users. Which kinda upturns the whole always-updating nature of web SaaS but I think it can be done
- hire a good designer who can streamline your UX and screens and keep only the bare minimum features
- maybe offer human support? Like a phone number? Probably unreasonable for you tho
Wish I had ideas for simpler login and auth.
Have you found any successful design strategies in your 10 years? Any insights from user testing?
Is your product a simple TODO list? Is it a health diary with loads of sensitive information? Is it for storing nuclear codes? Is this something users typically use on shared computers? On their phones? When you consider whether or not some of the other commenters' suggestions for reducing complexity of authc and potentially account recovery are reasonable, you need to keep that context in mind. It's hard to make decent suggestions without that context, imo.
Check WCAG's recommendations around accessibility. Start with cognitive and vision, and make sure to check out sections around designing and interacting with forms, but make sure to have a browse around broadly.
The UK government's style guides have some thoughtful advice around usability and accessibility. [0][1]
[0]: https://www.gov.uk/guidance/style-guide [1]: https://design-system.service.gov.uk/
Some control can be added automatically from a server, so that they don't need to do anything.
The main problem here is, when they search for attention. I understand them and being respectful and giving them attention is a good thing, but from software support point of view, this is hard to be minimized.
The lightbulb just never went on in his head. And this was in the 90s and early 2000s when developers at least used MFC - probably the period of peak UX design.
Things have now gotten so much worse since then. Now, I struggle to remember how to add an attachment in MS Teams, which I use every day.
Any change to an interface is going to disrupt this, so one thing would be to change the interface only very rarely and carefully.
2. allow login via magic link via email, after login the jwt/cookie/whatever should have no expiration date
3. (optional) allow one user to have multiple emails + merging accounts/users (call it backup email to collecr multiple user emails in advance, soft nudging only, not mandatory to use the product!)
4. (optional) offer any other way to login (un+pwd), google oAuth…
It‘s THAT easy.
Or you can use a phone number, call them, have them enter a numeric code. Just keep in mind that two people may use the same landline.
Or, tell them to write the password down and keep it somewhere safe. That usually works.
Moves the complexity to unlocking a phone and starting an app.
Moves the complexity to unlocking a phone and starting an app.
I’ll show you examples on a call. Here’s my email: Aloke@usepastel.com
I created this tool (https://anftr.com/) for some of my ex-colleagues in their early 50s who were trying to navigate the world of office software. They were struggling with Microsoft Word and Excel, and I have seen them yell at ChatGPT and bash their mouses constantly, hoping the computer will load files faster.
Essentially, you focus on text and video demos. The foundational design concept for elder tech is providing clear instructions and minimizing interactions.
If you want them to sign in, you should not require them to press a button more than two times.
To address things they tend to forget, consider a human custodian or "IT concierge" model, please. The reality is that after a certain age, people really struggle to learn new things and prefer talking to a person for help. Technology has its limitations.
If you are working with users aged 50 to 80, provide them with a phone number and charge a subscription for the service or a one-time payment. It might be borderline exploitative, but I have noticed that elderly individuals want a "solution" rather than a lesson.
You explain how to do something, and if they are eager to learn, they will. You offer them a solution either way. Please do not create a monetization model for this custodian service and keep the charge as low as possible.
The money you receive from this serves purposes: it is designed to help them second guess and try to help themselves. If you do not charge for something, they will just keep asking you questions. When you charge for something, they perceive it to have more value compared to it being free.
Do not prioritize ease of operation that compromises their security.
Masked passwords were boring when passwords were typically 'goeagles' but now they're 'Justlongenough22!' they're a real barrier to anybody who doesn't type the string multiple times a day.
If you really think that someone staring over the users shoulder is a genuine risk factor than allow people to turn it on, not (if the user is lucky) allow them to turn it off.
But really, stop pretending users have agreed to your T&C when you know almost none of them did more than clicking enough buttons to enable the "I agree" checkbox.