From 2acbc5fa16efecfe0f7136be8d877f03baf0384e Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Fri, 16 Apr 2021 13:19:41 +0200 Subject: expand Anastasis UI document --- design-documents/006-anastasis-ux.rst | 246 +++++++++++++++++++++++++--------- 1 file changed, 180 insertions(+), 66 deletions(-) diff --git a/design-documents/006-anastasis-ux.rst b/design-documents/006-anastasis-ux.rst index 37444aaf..17839bdb 100644 --- a/design-documents/006-anastasis-ux.rst +++ b/design-documents/006-anastasis-ux.rst @@ -78,13 +78,12 @@ Setup Steps Entry point: Settings --------------------- -The app settings should have a section for Anastasis -using a different more universally understood name -like Wallet Recovery. +The app settings should have a section for Anastasis using a different more +universally understood name like Wallet Recovery. -The section should have an option to setup Anastasis initially. -This option should be disabled as long as no backup has been set up. -The section could maybe be integrated into the backup settings. +The section should have an option to setup Anastasis initially. This option +should be disabled as long as no backup has been set up. The section could +maybe be integrated into the backup settings. .. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/menu.png :width: 800 @@ -96,53 +95,46 @@ The section could maybe be integrated into the backup settings. Providing Identification ------------------------ -Instead of a forgettable freely chosen user name, -Anastasis collects various static information from the user -to generate a unique user identifier from that. -Examples for such identifier would be a concatenation -of the full name of the user and their social security or passport number(s). - -The information that can reasonably used here various from cultural context and jurisdiction. -Therefore, one idea is to start by asking for continent -and then the country of primary legal residence, -and then continue from there with country-specific attributes -(and also offer a stateless person option). - -Special care should be taken to avoid that information can later be provided ambiguously -thus changing the user identifier and not being able to restore the user's data. -This can be typographic issues like someone providing "Seestr." -and later "Seestrasse" or "Seestraße" or "seestrasse". -But it can also be simple typos that we can only prevent in some instances -like when checking checksums in passport numbers. - -The user should be made aware that this data will not leave the app -and that it is only used to compute a unique identifier that can not be forgotten. - -If possible, we should guide the user in the country selection -by accessing permission-less information such as the currently set language/locale -and the country of the SIM card. -But nothing invasive like the actual GPS location. +Instead of a forgettable freely chosen user name, Anastasis collects various +static information from the user to generate a unique user identifier from +that. Examples for such identifier would be a concatenation of the full name +of the user and their social security or passport number(s). + +The information that can reasonably used here various from cultural context +and jurisdiction. Therefore, one idea is to start by asking for continent and +then the country of primary legal residence, and then continue from there with +country-specific attributes (and also offer a stateless person option). + +Special care should be taken to avoid that information can later be provided +ambiguously thus changing the user identifier and not being able to restore +the user's data. This can be typographic issues like someone providing +"Seestr." and later "Seestrasse" or "Seestraße" or "seestrasse". But it can +also be simple typos that we can only prevent in some instances like when +checking checksums in passport numbers. + +The user should be made aware that this data will not leave the app and that +it is only used to compute a unique identifier that can not be forgotten. + +If possible, we should guide the user in the country selection by accessing +permission-less information such as the currently set language/locale and the +country of the SIM card. But nothing invasive like the actual GPS location. .. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/userid.png :width: 800 -Select Authentication Methods ------------------------------ +Add Authentication Methods +-------------------------- -After creating a unique identifier, -the user can chose one or more :ref:`anastasis-auth-methods` -supported by Anastasis. +After creating a unique identifier, the user can chose one or more +:ref:`anastasis-auth-methods` supported by Anastasis. -Ideally when selecting a method, -the user is already asked to provide the information -required for the recovery with that method. -For example, a photo of themselves, their phone number or mailing address. +When selecting a method, the user is already asked to provide the information +required for the recovery with that method. For example, a photo of +themselves, their phone number or mailing address. -Using Anastatis providers usually isn't free. -From here on, the UI should show estimated recurring costs (yearly) -and the cost of recovery. -Both costs should get updated with each user action affecting those costs -such as selecting more authentication methods. +The user interface validates that the inputs are well-formed, and refuses +inputs that are clearly invalid. Where possible, it pre-fills the fields with +sane values (phone number, e-mail addresses, country of residence). .. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/truth.png :width: 800 @@ -155,15 +147,10 @@ such as selecting more authentication methods. Confirm/Change Service Providers -------------------------------- -Taler should propose a mapping of authentication methods to providers -by minimizing cost (tricky: sign-up vs. recovery costs) -and distributing the selected authentication methods across as many providers as possible. - -The user should be able to change the proposed default selection -and add more than one provider to each chosen method. - -It should also be possible to add providers -that are not included in the default list provided by the wallet. +From the dialog where the user is adding authentication methods, the user can +optionally jump to a side-action with list of available providers (and their +status) and possibly add additional providers that are not included in the +default list provided by the wallet. .. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/policy.png :width: 800 @@ -172,26 +159,36 @@ that are not included in the default list provided by the wallet. .. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addpolicymethod.png :width: 800 + Defining Recovery Options ------------------------- -After mapping authentication methods to providers, -the user needs select which combinations are sufficient to recover the secret. -The default could be ``n-1`` out of ``n``. +After mapping authentication methods to providers, the user needs select which +combinations are sufficient to recover the secret. Here, the system +pre-computes a reasonably sane allocation, for small ``n`` the default could +be ``n-1`` out of ``n``. -However, Anastasis recovery policies support more complex recovery options (policies) such as +We should propose a mapping of authentication methods to providers by +minimizing cost (tricky: sign-up vs. recovery costs, different currencies) and +distributing the selected authentication methods across as many providers as +possible. -* video-identification + passphrase -* video-identification + SMS -* SMS + postal mail + passphrase +The user should be able to change the proposed default selection +and add more than one provider to each chosen method. + +Using Anastatis providers usually is not free. From here on, the UI should +show estimated recurring costs (yearly) and the cost of recovery. These costs +should get updated with each user action affecting those costs such as +when the user reconfigures the policies. -when video-identification, passphrase, SMS and postal mail were chosen as authentication methods. Pay for Setup ------------- -As the last step when all information has been properly provided, -the user is asked to pay for the service with the regular wallet payment confirmation screen. +As the last step when all information has been properly provided, the user is +asked to pay for the service with the regular wallet payment confirmation +screen. + Show Service Status After Setup =============================== @@ -201,4 +198,121 @@ TODO Recovery Steps ============== -TODO +.. graphviz:: + + digraph G { + rankdir=LR; + nodesep=0.5; + settings [ + label = "Restore from Backup"; + shape = oval; + ]; + provide_id [ + label = "Provide\nIdentification"; + shape = rectangle; + ]; + select_challenge [ + label = "Select\nAuthentication Challenge"; + shape = rectangle; + ]; + satisfy_challenge [ + label = "Enter\nChallenge Response"; + shape = rectangle; + ]; + pay [ + label = "Confirm Payment"; + shape = oval; + ]; + finished [ + label = "Success"; + shape = rectangle; + ]; + settings -> provide_id; + provide_id -> settings [label="Back"]; + provide_id -> select_challenge; + select_challenge -> provide_id [label="Back"]; + select_challenge -> satisfy_challenge; + select_challenge -> pay; + satisfy_challenge -> pay; + pay -> satisfy_challenge; + satisfy_challenge -> select_challenge; + pay -> finished; + satisfy_challenge -> finished; + } + + +Entry point: Settings +--------------------- + +Like the backup, the recovery option should be available via +the App settings. + +The section should have an option to recover from backup. If a previous +recovery was not completed, the interaction should resume from that previous +checkpoint instead of from the beginning. + + +.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/menu.png + :width: 800 +.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/settings.png + :width: 800 +.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/backupsettings.png + :width: 800 + + +Providing Identification +------------------------ + +The first dialog(s) during recovery should be identical to the first dialog +during backup: the user is asked to select a continent, country of residence +and then to provide country-specific inputs for identification. + +.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/userid.png + :width: 800 + +Select Authentication Challenge +------------------------------- + +If Anastasis could recover the recovery document via any provider, it should +show a dialog allowing the user to select one of the open challenges, and +highlight which challenges still need to be satisfied for the various policies. + +Additionally, the specific provider and recovery document version should be shown. +The user should be able to change the provider or recovery document version, +resulting in a switch of the recovery document and policies. If the user has +already satisfied some challenges of the current recovery document, switching to a +different recovery document should only be done after a confirmation pop-up dialog +warning the user that the existing progress will be lost. + +When selecting a challenge, the user may be asked to confirm making a payment +for this challenge if the provider requires payment. + + +Payment +------- + +Typcially, this would be the canonical wallet payment confirmation dialog. + +However, in the case of a security question, the payment confirmation should +be combined with the dialog where the user enters the security answer (so +instead of an ``Ok`` button, text showing the amount due and ``Pay`` should be +used -- except of course if the security question challenge is free of +charge). + + +Enter Challenge Response +------------------------ + +If the challenge was not a security question, the dialog to enter the security +code (PIN/TAN) should open after payment. The security code field should have +a prefix ``A-``. However, the user should be able to enter both only the +numeric code, or the full code with the ``A-`` prefix (or ideally, the user +cannot delete the pre-filled ``A-`` text). + + +Success +------- + +The user is informed about the successful recovery. We may want to do this +as part of a separate screen, or simply with a notification bar in the +main wallet screen. -- cgit v1.2.3