I just spent three weeks—mostly weekends, but also waiting days for email responses from customer support—trying to settle my son’s Xbox account. All he wanted to do was play Minecraft on his desktop PC. But neither of us realized just how easy it is to override login credentials1, nor how subsequently difficult it is then to try to get the account reinstated.
My kids got their Apple watches a year ago; they’re an alternative to smartphones that lets us find the kids in emergencies, and a use case that Apple now advertises. But since these watches don’t have dedicated paired smartphones, I had to set them up with my phone. The Apple Watch iOS app does allow for this use case and includes workflows for parent-phone ↔︎ child-watch connections, but it’s literally two dozen steps and 2+ hours of setup. Syncing devices; updating OSs and apps (on both sides); logging in/creating emails and iCloud accounts; confirming identities; linking up family accounts; walking through permissions and parental restrictions and alerts; product tutorials and walkthroughs.
Apple watches are also designed to save battery, so they often lose connectivity with the phone or delay in receiving LTE connections. I’ve had to repeat the same setup 3–4× amid random timeouts and disconnections.
We got here because we layered subaccounts on top of accounts, and new security best practices on top of old ones. Altogether, though, it’s a mess of sequential, overlapping procedures that generate friction up front, with no context for users to understand why any of it matters. When kids can be bilked out of their one-time security codes despite the five different options available to protect the account2, it’s questionable how much difference they make.
Layered on top of this security apparatus are family accounts. Generally, they’re either spousal accounts for sharing apps and subscriptions, or parental accounts that allow for content management for children under 18. I’m dealing with the latter, and the added complication here reminds me of Identity & Access Management (IAM), something that is so painful in corporate IT that there is an entire category of platforms built to support enterprise use cases.
Parents, though; we’re on our own.
Online security measures are currently in flux. Having spent 30+ years messing with computers, I’ve seen online services start with simple usernames and passwords, and run into the fundamental limitations to that spartan approach. Sites then moved onto obscure(ish) security questions, two-factor authentication schemes, a few forms of biometric authentication (Windows Hello, Face & Touch ID), and now passkey implementations. Or they just email you a login link.
Unless you’ve seen each security measure develop over time, this is overwhelming complexity. Most sites offer all of the above as ways to sign in, I suppose for convenience and backward compatibility, but this just provides more surface area for malicious attacks.
Take account signups—something I became intimately familiar with in the course of fixing my son’s Minecraft woes. For the major consumer services—Microsoft Live, Apple iCloud, Google—it’s trivially easy to create new accounts from scratch. But users are hit immediately with a multitude of options: secondary & tertiary emails, password recovery codes, plus biometric options. Microsoft’s account setup process is especially absurd, given that they have an Xbox section separate from their core Microsoft Live profile, but the same account ties back to the Windows OS3 and its myriad of Microsoft services. The UX for account management feels a bit like how ads have proliferated online publishers, where each feature carves out its own modal/banner/notification, blind to how poorly the overall experience has degraded.
What if, instead, we model online accounts the same way that video games start with tutorial levels? Game designers know that when players start from scratch, they need to learn the how and the why of the game’s systems. So, they design the first level as a gentle introduction, explaining concepts along the way, giving players the opportunity to try it out, and gradually introduce more concepts built on top of the ones learned prior.
An analogous progression for online accounts would solve two fundamental problems: educating the user, and spreading out the cost of configuration as users get acclimated with the service. Maybe let users try out their security codes in a mock interface without immediately logging them out or just validating their rotating keys, or explain why passkeys are more secure. Getting users onboard is the fundamental challenge; complex security without engagement just results in weak security.