When I did phone support for the fruit company there was a woman who would come back to me time and again with roughly the same issue.

She had some form of extreme palsy, and her kids lived on a different continent.

What she needed, was someone to talk to her as she tried to input her password the 10 or so times it would take her to get it entered correctly.

If she did it herself, she would become unsure that she was using the correct password, and give up because she was second guessing herself.

If she asked a nurse to help, the nurse would need to bail halfway through the process and address some other requirement.

In a separate incarnation, I was helping a 90 year old gentleman, who was providing free legal support for the organisation, to log on to his laptop. We had a 60 day password reset cycle. This gentleman would only attend the office every month. So every other visit required a password reset. He would berate me as he went, like the guy was a massive d bag. But my understanding was that he had chronic arthritis in his hands, so this process was very painful for him.

I think the best workflow would be to use login codes and eschew passwords entirely. Definitely dont have mandatory password resets. I think the initial Passcode enrollment step might rule passcodes out but I have only really dealt with them on the MS side.

That said, you need a really good non password backstop for login codes, because in my experience, elderly people tend to replace phones/numbers/laptops/email addresses quite frequently too. I used to keep a folder in my password vault for my grandmother so I could recover her email/facebook, but not before she ended up with 3 email accounts and facebook pages.

Biometric Authenticator App? IE key recovery / load to a new phone is biometric, but otherwise it just prompts a 6 digit code on login? I think younger generations have a better sense of "I am X, but my email controls Y" where older people are like "I am me, so give me my emails" and something that is unequivocally "Me" like biometrics might be the best way to meet them where they are.

Just my 2 cents.

Reminds me when I had the high-end 2016 fruittruck with the sticky keyboard. All sorts of bizarre shit happens when you can't type your password.

On forced password resets, the NIST guidelines are clear. But alas, this kind of news travel very VERY slowly it seems. Even the large organisations that "care deeply" about security seem to miss the memos. Gets my goat all the time.

Thanks for the real world stories on people who are actually, physically challenged.

I know it is not fully in the scope, but I will describe my case, and I hope that this will give you some ideas and hits. I am working on an application that monitors elderly people in non-intrusive way. Their children install the application on their device and they do nothing with it. It follows the 'install and forget' principle. Don't bother them for anything. No notifications, no need to open it. If opening is needed, it is because they are curious, not because it is needed. All the information/notifications goes to their children. You can think in that direction. Can you make it a desktop application? In that case, you don't need authentication. It is actually simpler for them, because, instead of opening the browser, typing the URL, they just double click the icon. You can make a update mechanism that silently adds new features and bug fixes.

Some control can be added automatically from a server, so that they don't need to do anything.

The main problem here is, when they search for attention. I understand them and being respectful and giving them attention is a good thing, but from software support point of view, this is hard to be minimized.

I help my grandparents out with computer stuff quite a bit, but I live far away, so I usually have to help over the phone. So having an interface that you can easily describe over the phone is pretty important to me.

When I try to sign in to most apps on my TV, it usually displays an code that you can type in on another device so that you don't have to type in a long password using the D-pad on the remote. Could you maybe implement something similar for your website? This way, my grandmother could just call and read me a code, and then I could handle the sign in remotely. As long as you only need to sign in ~once a year, this would be my preferred option.

Not all seniors have trusted friends/family who can help them, but lots do, so making it easier for the helpers will in turn make it easier for the seniors. Plus, there's no phishing risk for the senior with this method, so it's a relatively secure option too. (There is a phishing risk for the helper, but presumably they're the least vulnerable person in this scenario)

Facebook must have optimized for this. Do whatever they do.

And make it so they don't have to log back in frequently.

I think the key for Facebook (and Amazon) are your 2nd point. People login once, and likely never again.

I got my mom, who is in her 70s, a new TV and wanted to sign her into Prime Video. I asked for her Amazon account and she had no idea. I think she said something like, “I don’t have an Amazon account, I never have to login. I don’t even know what it would be.” She has been a Prime member for a decade and hasn’t had to login for so long that she forgot she had an account. It took both me and my sister telling her she must have an account, and listing the reasons why she must have an account, to jog her memory or simply convince her that this was a reality.

This creates a different problem. People forget passwords, lose account info, and when they do need it the recovery is that much harder. Apple Keychain has saved the day with my mom several times.

I was a 1Password user for about 18 years (recently migrated away), and it would ask for your master password every 2 weeks and this is why. If you only have one password, you better remember it. If people only have to login once, they’ll forget. There were a couple times over the years when I drew a blank on what it was and got kind of worried. I also always worried about what would happen if I had some kind of head injury, as I never wanted to actually write that password down anywhere.

> Apple Keychain has saved the day with my mom several times.

iOS fills out these forms, puts the random password in icloud keychain, and then auths with faceid or etc. Obviously doesn't help OS's saas. But tons better than using Buster123 on every website.

Login is probably the number 1 issue I have seen with old people. They generally have a book of passwords where most of them are simple or reused. And if they get logged out it's a nightmare to get back in.

I'd suggest not having a password at all. Either use SMS/Email codes, or Passkeys.

I've spent a lot of time helping my 80 year old neighbor with life tech tasks. I've noticed that she seems to be okay with usernames/passwords as long as they're in her password book.

But the site layout can make entering the credentials near impossible. For example, on the login page of the California DMV https://www.dmv.ca.gov/portal/mydmv , the form submission button is below the fold on her 720p laptop. She has to scroll down the login page to log in. She often asks what she should do next because she can't see the button!

If the password isn't in the book we have to go through the forgot password flow. That's usually fine because her email works, but it's offensive to have to log in again after we've reset the password. It's painful to watch someone type these modern passwords, but it's cruel type it three times in a row: once to enter the new password, a second to confirm it, and then the third to actually log in. I'd much rather have the emailed magic link log me in rather than take me to the password reset page.

I often wish that companies would:

0. not actually require account creation (I can walk up to the DMV counter; why do I need to create a password to do it online?)

1. stick to a simple, well established authentication pattern

2. make the buttons large enough

3. make all of the relevant information visible without scrolling on a 720p laptop (with too many pixels taken up by Chrome's tab bar, Windows' task bar, etc.)

4. not have clickable things to sidetrack us (your survey? chatbot popup? an ad? all nightmares)

Instructions on how to create and use a bookmark can help as far as the domain/getting to log in goes. I know nobody RTFMs but if they've got instructions they can follow for that, they'll only need to read it once (hopefully). Hopefully, that will reduce the level of frustration before they try to log in.

Is your product a simple TODO list? Is it a health diary with loads of sensitive information? Is it for storing nuclear codes? Is this something users typically use on shared computers? On their phones? When you consider whether or not some of the other commenters' suggestions for reducing complexity of authc and potentially account recovery are reasonable, you need to keep that context in mind. It's hard to make decent suggestions without that context, imo.

Check WCAG's recommendations around accessibility. Start with cognitive and vision, and make sure to check out sections around designing and interacting with forms, but make sure to have a browse around broadly.

The UK government's style guides have some thoughtful advice around usability and accessibility. [0][1]

[0]: https://www.gov.uk/guidance/style-guide [1]: https://design-system.service.gov.uk/

My Dad could never build the metal model to understand that common concepts like copy/paste would work almost identically across different native Windows applications; "How do I copy/paste in an email?", "How do I copy/paste in a Word document?", "How do I open a file in Excel?", "How do I open a file in Word?".

The lightbulb just never went on in his head. And this was in the 90s and early 2000s when developers at least used MFC - probably the period of peak UX design.

Things have now gotten so much worse since then. Now, I struggle to remember how to add an attachment in MS Teams, which I use every day.

I like the AAA WCAG recommendation. I'd also recommend from my casual experience listening to lots of old people...

- a large font size by default, and maybe a font size slider on the homepage. Test everything at 200-300% scale as WCAG recommends

- don't change the UI! Or change as little as possible, at least for existing users. Which kinda upturns the whole always-updating nature of web SaaS but I think it can be done

- hire a good designer who can streamline your UX and screens and keep only the bare minimum features

- maybe offer human support? Like a phone number? Probably unreasonable for you tho

Wish I had ideas for simpler login and auth.

Have you found any successful design strategies in your 10 years? Any insights from user testing?

I can relate because my dad is 84 and he really struggles with simple things like entering a password to sign in to Gmail. He forgets what he did last time and so I'm back to explaining how moving his mouse causes the pointy-arrow thing move around on the screen, to get it pointed at the wide rectangle near the middle of the screen, etc. No UI library is going to solve his struggles.

I solved most of the sign-in problem for my dad by picking a simpler browser than Google Chrome, and by tweaking his browser settings to be just-so. That's not going to be much help for you, the website creator...

Maybe allow passkeys for login? These days, passkeys usually get stored/supplied by the underlying OS. (By usually, I mean that's the statistically most common source of the passkey today. They can also come from a browser plugin or a hardware key.)

I worry that passkeys are going to confuse the heck out of less technically sophisticated users the moment they hit an edge cases, and I bet they can find edge cases.

I can't think of any two sites that work the same way once you start using them. It seemed like every service was its own edge case.

My dad is in his 80s. He keeps careful notes on how to use devices like tablets and TVs. There might be a touch of engineer-brain at work here, but the struggle is very real. He generally wouldn't take in all of the text and symbols on a screen if there is a lot of going on, or might get hung up on the wrong parts of it. He generally wouldn't find a modern interface at all "intuitive".

Any change to an interface is going to disrupt this, so one thing would be to change the interface only very rarely and carefully.

I quite like the new trend where you can login just by entering the 2fa on SMS or email. Skip the whole username/password.

I really dislike these "magic links" as a login procedure as you always have to switch between apps instead of just filling login / 2FA with your password manager. SMS is even worse as it's also insecure.

As an additional option, I can see the benefit for people who live in their Gmail app and don't have a password manager.

The other potential issue is the age of the users.

Magic emails might work for general users, but for an 80yo who struggles using a mouse. Teaching them to click on links in emails is probably not the best practise.

Their age also makes them greater targets for social engineering, and asking for an SMS code probably sounds pretty harmless. I’m not sure how secure the original poster’s site needs to be, but I think this would be sketchy.

On iOS, the code from Messages or email is auto populated. But just don’t do email. Too many things can go wrong.

But I do love pass keys.

Apple Mail will also do it.

As with a lot of Apple features...it's great when it works but 10% of the time it doesn't and then it's infuriating.

Often my iMessages arrive on my phone 30 seconds before they arrive on my Mac, so it's quicker to look at the phone notifications and type it in manually than it is to wait for them to arrive and auto-fill to get triggered.

This is a lame complaint but I hate it just because it will by default open the website in a browser session belonging to the email app when you click the magic link. That extra step of finding the menu and telling it to open the signed-in page in the real chrome instance just grinds my UX gears.

Passkeys are even better since you don't have to pull out your phone or switch to email to grab a code. It just logs you in.

Also for old people, its impossible to fall for a phishing page using Passkeys. Unlike auth codes where you can type the code in to a fake login page.

I'm a fan of passkeys because I don't have to store sensitive info. It's just a public key and I don't need identifiable info from the user. That's a super nice option for some niche low stakes software.

Unfortunately that breaks down when someone doesn't set multiple keys as backup and gets locked out. Then you're right back to password/backup code or some kind of recovery to email or phone. Chances are people just store their backup codes as plain text too. They also break down across desktop/mobile, e.g. register on desktop then try to log in on mobile. Not everyone has a good sync solution here, especially the non technical.

Honestly all the solutions have trade offs in UX/security/privacy and dependency on third party services. The best solution is going to be highly dependent on the business.

The sync situation is a bit of a mess but it's getting better. Personally I use 1password and everything is synced everywhere effortlessly. But if you are a windows user without a password manager then you are probably best off just using your phone and the QR code scan flow.

The UX issues of Passkeys can and are being fixed. The issues with passwords are unfixable.

> The UX issues of Passkeys can and are being fixed.

I don't see any solutions to the recovery problem that doesn't introduce another login mechanism. But as a primary method the UX is pretty good for the technically literate.

I have 3 laptops, a PC and a PC at work and 2 phones. Passkeys still confuse me and I'm not 60 yet.

They essentially work automatically without having to understand them. They get synced with your apple and google account or password manager to every device. For a work pc or something you haven't signed in with, Windows and MacOS will show a QR code you scan with your phone and it all just works.

For an old person who basically just uses an iphone and ipad, you can't screw it up and you can't be scammed.

If you log in only by the code or magic link, it's not 2FA because there's only one factor

I wonder about a scheme using public key encryption where a scannable code (public key of the pair) is displayed on the log-in screen, where one has an app on a phone that can match it and send an authorization to the site for login.

Moves the complexity to unlocking a phone and starting an app.

In Denmark the official identification app does basically this. When you to officially verify yourself for e.g. the bank, government sites or whatever you type a “username” (identity string that officially should not be linkable to you but in practice often is). The site then displays a QR code that you scan with phone and then approve with a slider. It is not perfect but it is fairly easy for everybody.

A valuable approach is to aim for AAA WCAG conformance. Obviously it isn't a perfect way to go about it and there are other considerations here, but at level AAA you're more likely than not ensuring an extremely clear and usable interface.

I wonder about a scheme using public key encryption where a scannable code is displayed on the log-in screen, where one has an app on a phone that can match it and send an authorization to the site for login.

Moves the complexity to unlocking a phone and starting an app.

(Same reply as to another comment in this thread)

In Denmark the official identification app does basically this. When you to officially verify yourself for e.g. the bank, government sites or whatever you type a “username” (identity string that officially should not be linkable to you but in practice often is). The site then displays a QR code that you scan with phone and then approve with a slider. It is not perfect but it is fairly easy for everybody.

I assume this scannable code would be a QR code. I still regularly see QR codes throw older people for a loop, even if I know they’ve used them before. Opening the camera app to login is not a natural thing to do.

It also assumes everyone has a smart phone. Maybe this true, but it becomes less true the older someone gets.

Save their auth in local storage (or a bookmarked url) and don’t make them login again once they are setup? And buy an easy to remember domain name for your app.

Put in phone number, get sent an SMS with a code.

I am really interested in the concept of elder/senior citizen technology. The basic design concept for them is answering "what am I looking at?"

I created this tool (https://anftr.com/) for some of my ex-colleagues in their early 50s who were trying to navigate the world of office software. They were struggling with Microsoft Word and Excel, and I have seen them yell at ChatGPT and bash their mouses constantly, hoping the computer will load files faster.

Essentially, you focus on text and video demos. The foundational design concept for elder tech is providing clear instructions and minimizing interactions.

If you want them to sign in, you should not require them to press a button more than two times.

To address things they tend to forget, consider a human custodian or "IT concierge" model, please. The reality is that after a certain age, people really struggle to learn new things and prefer talking to a person for help. Technology has its limitations.

If you are working with users aged 50 to 80, provide them with a phone number and charge a subscription for the service or a one-time payment. It might be borderline exploitative, but I have noticed that elderly individuals want a "solution" rather than a lesson.

You explain how to do something, and if they are eager to learn, they will. You offer them a solution either way. Please do not create a monetization model for this custodian service and keep the charge as low as possible.

The money you receive from this serves purposes: it is designed to help them second guess and try to help themselves. If you do not charge for something, they will just keep asking you questions. When you charge for something, they perceive it to have more value compared to it being free.

Do not prioritize ease of operation that compromises their security.

> It might be borderline exploitative, but I have noticed that elderly individuals want a "solution" rather than a lesson.

Or they may have just aged out of fucks[1]

[1] - https://www.blog.lifebranches.com/p/aging-out-of-fucks-the-n...

In another comment, I mentioned that I was “the guy who knew about computers but was more approachable than the IT guy.” Even the rudest people tended to soften their tone when talking to me. I think when it comes to IT, most people’s default reaction is frustration. Trying to turn that frustration into a lesson can be frustrating at any age.

My approach was always: let me fix it first, then hand over the solution. It’s entirely up to you whether you want to follow up with “how did you fix it?” In my experience, 9 out of 10 people didn’t ask. The 1 out of 10 who did were often just making small talk.

The conversation was usually about how they ended up in that situation and what they wanted to achieve. I fixed they talked mostly to vent. That is part of the process.

In software engineering and professional culture, we often ask, “What have you tried so far?” That can be frustrating. The person you’re helping isn’t someone you have authority over—you either help them or you don’t. This cuts both ways, as they do not have authority on you to have you help them.

My thesis always has been people are generally polite. It’s not about manipulation or being overly conscious of achieving a goal. Impolite people usually are struggling with something internally, so you should pity them.

54yo here. We (GenX) grew up with computers. It’s the Boomers and Silent Generation that have trouble.

I have worked with people in their mid 30s who had an utter disgust for computers. I was “the guy who knew about computers but was more approachable than the IT guy” at a large office. Even though some people hate doing this kind of work, I always enjoyed it. Sometimes, people would hang around my desk first thing in the morning to get help with IT issues.

I made contacts with the executive team when I had to sign them up for their ChatGPT accounts and set up their VPNs (which often just involved pressing a button). They saw a YouTube ad about how a VPN kept them safe, and they paid for a year in advance...

People of all ages can have a hard time dealing with technology. And to be honest, the IT ecosystem has become adversarial. About a decade ago, installing antivirus software would eliminate many risk factors. But these days, with sponsored content and advertisements, there are so many ways people can mess up their systems.

I am also 54 years old, and I've grown up with every single user interface conceivable in a computer or device.

However, though that gives me an advantage in knowledge of how the systems work, I don't think I'm very good at navigating modern user interfaces.

My hypothesis goes like this: the people who are writing graphical user interfaces today are video gamers. They were playing twitch games and first person shooters until they got hired to program a user interface. The people who write them, and the people who use them, think nothing of split second reaction times and hand-eye coordination in order to navigate a user interface.

This is a very very bad approach. You should not need reaction times to navigate a user interface of an app that is used for business or what have you. The web is full of dynamic flows and ever-changing presentation. This is very detrimental to our mental health.

I believe that it's the inconsistent presentation of the interface and the ever-changing buttons and the ever updating methods of interacting that are so detrimental. It can really hurt someone who is on the edge of dementia or mental issues. Even the sanest people must have trouble navigating these things.

Every office program and every social media app has settings and configuration more complex than flying a 747. We should not need a pilot certification just to get through these settings. The settings multiply quite deliberately, so that they confuse and beguile the user and get us to give up! If the settings panel presents 1000 settings then we are far more likely to just leave them alone then try and manage them all. Especially when they are ephemeral and basically change themselves upon every update!

The problem is not with elderly people or with their mental status. It is with the very poor presentation and the video games that now rule our everyday life. Even a point of sale or a public computer kiosk is presenting these issues. There is something very wrong with that.

Yubikey for auth, thats all, no fn user/password needed. Presses it when blinks, and done.

easiest ui is no ui

1. bind user to email

2. allow login via magic link via email, after login the jwt/cookie/whatever should have no expiration date

3. (optional) allow one user to have multiple emails + merging accounts/users (call it backup email to collecr multiple user emails in advance, soft nudging only, not mandatory to use the product!)

4. (optional) offer any other way to login (un+pwd), google oAuth…

It‘s THAT easy.

Email link and 2FA won't work because old people struggle with switching apps.

For people who struggle to understand authentication, surely they have no hope understanding the T&C that they promised every service they had read and understood. The honest thing to do is just not serve these people because they lied on the sign-up form.

But really, stop pretending users have agreed to your T&C when you know almost none of them did more than clicking enough buttons to enable the "I agree" checkbox.

I mean the UX is not having dementia and that's entirely another matter. I hate the idea that if you're old you can't use computers like a normal person.

I've assisted my grandparents with the same UIs many times, it's just harder to learn things the older you are.

For example, there was a service my gradmother used pretty frequently, which required a password change once every 6 months. She memorized the regular login flow, but she always called us for help when the flow broke and asked her to invent a new password, provide the old password, and confirm with an SMS code.

None of it is inherintly complex or difficult, but when you're at that age, and not super tech-savvy to begin with, computers are super confusing.