Thursday, October 2, 2014

Back to basics 4: Account self management

You can find the "game rules" for this series here.

Today, we're going to jump in with some oracle ideas about account self management.  Note that some of these ideas as well as "testing expectations" could also form "design ideas" as well ...


At my team we have a series of character cards and one of them is as below, "user who needs their account editing" ...

This is a range of functions which allow you to change some of the details of your account.  The bottom line for a company, it really helps if certain very simple functions a user can modify for themselves over ringing a support line for.  It's easier for them, and means you're not wasting money on call centre staff to do basic jobs.

Make it so a customer has to wait 30 minutes on the phone in a queue listening to Cat Stevens because they've forgotten their password, and more than likely the end result is your customer deciding they don't really need your system that badly.

Account Hijacking Danger!

There are some account details which if changed can lead to account hijacking.  This is where if someone uses a machine in at an internet cafe after you and you're still logged in, they could potentially "hijack" your account.  We'll talk a bit about those when we encounter areas where it could be dangerous.

Obviously a lot of the below depend on context of "what service you are delivering" and the level of rigour you need around it.  Lets look at some details you might want to change ...

Changing Name

People change name a lot.  The most obvious one is after marriage when it's tradition the bride change her surname to the groom's.

But there can be other reasons as well - for instance I have to admit not being too in awe of the surname "Talks", as my school life pretty much consisted of every teacher saying at the start of the year, "Michael Talks ... I hope he doesn't".  I thought I had it bad until at University I met a guy called Nicholas Lunt who'd wanted to be a teacher, but decided otherwise "because of what my name rhymes with".

Now if you're Twitter or Facebook or any social media, this should be a fairly easy thing to do.  However I do know some social media make have safeguards - you can't for instance change your name to the name of someone famous like "Kate Middleton", "Arnold Schwarzenegger" or "Donald Trump" without flashing some ID to prove that's really your name.  Facebook also has an issue with the surname "Talks", which it thinks is so rare "it's just a joke".  Meh, thanks.

The difference for this would be if you have an online bank.  For that given the ability for fraud by just changing your name, you'd want some more rigour and a "come in and show proof of name change".

Changing Date of Birth

As far as I know, there is no way you'd ever want to change your date of birth.  Okay maybe you'd want to younger, but there's no legal reason.  If your system offers you to, then this is a bit of a no-no.

Changing Gender

We can get a bit schoolboy giggly about this.  But having experienced the other side of this, and the difficulty of changing gender through friends like Violet, having the world recognise your new gender if different from birth gender is a big deal.  People who do need to be treated with respect and compassion, and not the butt of a joke.

The laws in the UK and NZ recognise the right of people to legally change their gender to that which they associate with, regardless of birth gender, so typically your system needs to as well.

Changing Password (Hijacking Danger)

Yes, it makes sense to change passwords occasionally.  But to avoid the hijack scenario, it's generally good to ask for the old password first to prevent anyone from doing it.  It also makes sense to send an email/text to say the password has changed, just in case you go "wait a minute, I did not change the password on this!".

Changing Email Address / Phone Number (Hijacking Danger)

Your email address and mobile phone number are typically used in "forgotten password" scenarios where you say you've forgotten your password, and a temporary one is emailed to you.  If an unscrupulous party sets the email to one they control, then they're just a set away from hijacking your account.

Hence it makes sense as for password to have this change password protected, but also for there to be a "changed email address" notification sent to the OLD email address.  And similar for the mobile phone number.

Hopefully I don't have to explain why it needs to be the old email address to you - if not, have a good think about it!

Similar logic to this applies to changing your mail address.

Heuristics And Test Ideas

This is the last in a series looking at oracles, heuristics and test ideas.  Our first exercise quite thoroughly set out the details for testing account creation.  The second exercise, regarding logon gave some more room for you to try things out yourself.

This time around, with those examples in your mind, and our expectations above clearly set out, you should be ready to fly this one solo!

Do use the comments below, or find me on Twitter to say how it went.  Hopefully you've found this useful.  We're really good at talking about testing, but sometimes it's useful to have a few fleshed out examples, especially if you're relatively new to testing.  Typically as the work we do is confidential, it's not like we can even "just take what we do home and post online".


  1. As far as Gender is concerned, you have to ask yourself whether your system actually needs to know a user's gender.

    1. Which is a good point indeed! But if it's there, there's good reason to be able to change it.