Embed Size (px)
DESCRIPTION
Product Management Sample Work Presentation
Citation preview
Product Management Sample Work:
Yahoo! User Identity
Andy Wu
1
Agenda
1
User Sign-up 2
Story & Goals
3 User Sign-in
4 User Account Recovery
2
Story & Goals
overview
3
Story – User Identity Lifecycle
Sign-up
Recovery
Alerts
User Profile
Good
Bad
Tablet
PC
Mobile
TV
Abuse Spam
Mail Sports Flickr
Mail Frontpage
Sports Flickr
Finance
Sign-in
4
Goals – Move the Needle
1 Optimal UX – mobile, tablet, desktop
2 Anti-abuse – bots & hackers
3 Partners – AT&T, Sky, Rogers
4 Platform – performance, scalability
5
Architecture
User / Partner access points
PC Web HTML
Mobile Web HTML
Mobile/PC Apps
Services / Libraries
Registration Acct Recovery Login
Data Stores
UDB Sherpa
Customer Care App
Other Services
CAPTCHA
Reg Abuse
Social Dir
Cred Store
GRID
Metrics
OpenID / OAuth
Anti-Phishing Acct Mgmt
Identity Mgmt Acct State Changer
Log Collection & Analysis
6
User Sign-up
UX (User Experience) & KPIs
7
UX: Simplify & Secure Sign-up
no
User Info ---------------------- 1. User ID 2. Password 3. Mobile phone 4. Birthday 5. Gender
Abusive Bot?
Abuse Challenge ---------------------- CAPTCHA (L1-L4)
or SMS (L5)
Confirmation ------------------------ 1. User info 2. FB Connect CTA 3. TW Connect CTA
yes
8
Flows & KPIs: Sign-up
user info
70K (2%)
“Good”
“Bad”
tablet
PC
761K (26%)
abuse?
800K (27%)
445K (15%)
348K (12%)
531K (18%)
693K (44%)
511K (33%)
228K (15%)
19K (1%)
43K (3%)
66K (4%)
1. user info
Pass
Challenge
L11
L2
L3
L4
L52
94%
91%
64%
51%
5%
8%
5.9M (100%) 2. pass or challenge
2.9M (50%) 3. done
1.6M (27%)
9
User Sign-up
Mobile UX (Jul 2013)
10
Sign-up – 1, 2.0 of 6
Sign-up – 2.1, 3 of 6
12
Sign-up – 4.0, 4.1 of 6
13
Sign-up – 5, 6 of 6
14
User Sign-up
Mobile Account Upgrade UX (Jul 2013)
15
ID Upgrade – 1, 2 of 4
16
ID Upgrade – 3.0, 3.1 of 4
17
ID Upgrade – 3.2, 3.3 of 4
18
ID Upgrade – 4.0, 4.1 of 4
19
User Sign-up
Desktop UX (Aug 2013)
20
Sign-up – 1.0 of 2
21
Sign-up – 1.1 of 2
22
Sign-up – 2 of 2
23
Sign-up (Jan 2013) – CAPTCHA Flow
24
1
of
3
2 3
Sign-up (Jan 2013) – SMS Flow
25
of
3
2
User Sign-up
Anti-abuse against Bots (Dec 2012)
26
Story – Abusive Sign-ups by Bots
27
1
2
3
“cat & mouse” tactics against abusive bots
1.6M daily sign-ups lowest (Feb 2013)
4 2.3M2 new Mail users per month remain 1 year later (6% ret. )
5
3.0M daily sign-ups highest (Oct 2012)
a
b
7X ($15 to $100) price increase per 1,000 accts (Jan 2013)
Filter varying abusive signals and change anti-bot challenges
Verify mobile # based on “abuse score”
a 80K3 viable long-term users out of 1.6M daily new accts
Reg Abuse Score System"
90% of registration attempts see varying levels of anti-bot challenges"
System • IP address reputation • Connection latency, bandwidth • CPU speed
Good
Bad
5%
95%
User • Time spent on page • Error rate • CAPTCHA solve time
Browser • Browser type and version • Plug-ins • Window size
Sign-up Abuse Detection
28
29
Jan 1.9M
Feb 1.6M
Mar 1.7M
Nov 2.5M
Dec 1.7M
Oct 3.0M
Sign-up Trend
Price increased from $15 to $100 per 1,000 Y!
accounts
Real-time abuse scoring makes it more costly for
abusers to create Y! accts
Price of Y! Account up 7X ($15 to $100)
30
Mail Account Count Monthly
31
0
5
10
15
20
25
30
35
40
45
50
YU
ID C
ount
Mil
lion
s
Usage Month
Only 6% of Mail sign-ups remained active after 12 months
201112
201111
201110
201109
201108
201107
201106
201105
201104
201103
201102
201101
Mail Account Retention Over Time
32
100.0%
18.5%
12.1% 10.1% 8.9% 8.0% 7.5% 7.1% 6.8% 6.5% 6.5% 6.7% 6.2% 5.2%
0.0%
20.0%
40.0%
60.0%
80.0%
100.0%
120.0%
M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14
Mail User Retention Over Time
User Sign-up
ID Reclamation (Jul-Aug 2013) Child Account COPPA (Jul 2013)
33
Summary – ID Reclamation
� Goal: reclaim inactive IDs @sign-up (Aug 7) � 1.5 billion inactive IDs based on 12-month inactivity
� 2 joint solutions � Increase daily inactive acct deletion (4M to 25+M) � On Demand Account Reclamation (ODAR) @sign-up
� Action items � Develop ODAR @Sign-Up
� Qualify “inactive or not” YID � Give inactive YIDs to “legit” but not “bot” registration
� Support properties to handle ASC2 notifications � Property to use GUID- or YUID-based data indexing
� Work with Mail, Mktg, PR, CRM, Legal/Policy on service announcement & campaigns
34
ID Reclamation @Sign-up
35
Create ‘joe1’ ID (GUID2)
Properties
no Choose new ID
no
yes
ID exists?
ID inactive?
yes
ASC1
Delete inactive ID
‘joe1’ (GUID1)
Notify property of inactive ID ‘joe1’ (GUID1)
delete
Abuse? no yes
Choose ‘joe1’
Remove ‘GUID1’
Add ‘GUID2’
Got ‘joe1’
Reclaim ‘joe1’
new functions on Reg
existing functions on Reg
To Dos – Membership
36
Dates Actions
4/17 Email properties of “To Dos” • Migrate from YID- to GUID-based indexing for property data store • Adopt Membership ASC listening client
5/15 Tech Talks on Handling YID vs. GUID
5/31 Identify inactive accounts
• Accts not login in the past 12 months • Email forwarding treated as “inactive” (premium - $19.99 / yr) • Update existing “inactive accts” criteria (excl. ‘it’ INTL; Hotjobs)
6/15 Develop “On Demand Account Reclamation” • API to check “inactive or not” YID for ID selection / suggest • Anti-abuse to NOT give eligible inactive accts to bot registration • Test end-to-end flows with selected properties (Mail)
8/7 Open “ODAR” registration to public
To Dos – Properties
37
Dates Actions
5/31 Index data based on GUID or YUID (not YID) • User data belonging to old YID ‘joe1’ (GUID1) should not be
accessible / linked to the new YID ‘joe1’ (GUID2)
Continue doing
Handle existing ASC notifications
• Anonymize the deleted YID data – i.e. mask the YID if exposed
• Remove unneeded data for the deleted YID – i.e., Y! Mail data
Account Segmentation
38
All (UDB) 3,154
Partner 160
Yahoo! 2,994
Non-paid 2,617
Premium1
377
Inactive 1,5443
Active 957
To be del2 113
65 AT&T
64 Nokia
15 BT
7 SKY
3.5 Rogers
3 VZ
1 TNZ
1 Frontier
0 MTS
531 Profile
30 Flickr
7 Sports
4 Taobao
4 Locdrop
855 no flag
Inactive IDs based on ID Lengths
39
“Fun” ID Facts
40
1
2
3
4
~334M1 (93%) @yahoo.com IDs
~18M (5%) @ymail.com IDs
~3.5M (1%) @rocketmail.com IDs
5
275M of 514M3 (53%) IDs (login last 180 days) have email address (16% verified; 37% un-verified)
80M of 355M4 (21%) IDs (login last 90 days) have mobile phone
Child Account COPPA Compliance
41
Kid Trap
Parent Email
Kid Login
Parent Login
Parent COPPA Consent or Close
Acct
Data Download
parent consent or close acct
Kid Email
parent consent or close acct
Confirmation
parent consent
close acct before 7/1
download data consent
Membership to-dos
Legal / Care to-do
Kid Reg w/ new consent
User Sign-in
Facebook & Google (Jan 2011) FB / Google User Migration (Q4 2013)
42
Flows & KPIs: FB / Google Sign-in
43
FB / G Login CTA
FB / G Login
Y! acct match
1. FB/G auth
No
1.056M (100%) 2. reg, bind, return
493K (47%) 3. done
412K (39%)
FB / G Permissions
Mini Reg
Acct Bind
Mail Homepage
Sports Flickr
Messenger Finance
Yes
Return user?
Yes
No
345K (33%)
1.056M (100%)
493K (47%)
148K (14%)
47K (4.4%)
20K (1.9%)
69K (6.5%)
79K (7.5%)
+68% ->
+25% ->
KPIs: Y vs. FB vs. G Sign-up & Sign-in
44
New Sign-up Users (Daily) Existing Sign-in Users (Daily)
Properties YID FB Google YID FB Google
All Props 628,000 (93%)
23,000 (3.4%)
24,000 (3.6%)
46,299,000 (99.26%)
218,000 (0.47%)
128,000 (0.27%)
Flickr 4,453 (36%)
3,704 (30%)
4,363 (35%)
135,910 (67%)
24,246 (12%)
41,733 (21%)
Answers 8,820 (64%)
2,794 (20%)
2,116 (15%)
43,821 (69%)
9,476 (15%)
10,008 (16%)
Groups 4,259 (49%)
1,696 (20%)
2,698 (31%)
82,377 (87%)
3,337 (4%)
8,509 (9%)
Sports 1,035 (66%)
221 (14%)
314 (20%)
78,678 (68%)
14,973 (13%)
22,385 (19%)
Finance 396 (72%)
47 (8%)
111 (20%)
42,045 (98%)
294 (<1%)
734 (<2%)
Frontpage 345,000 (99%)
1,150 (<1%)
1,738 (<1%)
5.098,000 (99%)
24,198 (0.5%)
4,349 (<0.1%)
KPIs: Facebook / Google Sign-in
45
Features All (000) Flickr (000) Mobile (000)
UU clicks FB/G login CTA 1,056 (100%)1 96 (100%) 216 (100%)
UU returns from FB/G auth 493 (47%) 79 (82%) 82 (38%)
Existing UU signs in 345 (33%) 66 (69%) 43 (20%)
New UU lands on Mini Reg or Acct Bind 148 (14%) 13 (14%) 38 (18%)
New UU lands on Mini Reg 69 (6.5%) 11 (11.4%) 15 (7%)
New UU completes Mini Reg 47 (4.4%) 8 (8.4%) 12 (5.4%)
New UU lands on Acct Bind 79 (7.5%) 2 (2.1%) 23 (10.7%)
New UU completes Acct Bind 20 (1.9%) 0.7 (0.7%) 6 (3%)
1. (x%) represents the % of 100 users started remaining at each sequential step
Flickr App’s FB/Google Sign-in
46
FB / G Login & Perms
New or Return? Returning Users
Mini Reg or Bind?
New Users
Mini Reg (BE) Create new
hidden ID via API
Binding
Mini Reg
3PA API
3PA API Update
New Users Signed In
UX - FB / Google User Migration
47
FB / G sign-in
CTA
FB / G login
Current Reg
Current Login
Mail FP
Sports Flickr return
user?
Return user
“New” user “Sign-up”
#1
bound to “full” or “hidden”
YID?
“YID Upgrade” choose YID + pwd
“Sign in with YID” or
‘skip for now’ (3 allowed)
hidden YID
full YID
Migration Interstitial –
“Return” vs “New” User
CTAs
New user
“Sign-in” Return user #2
#3a – New User
#3b – New User
#3c – Return User
#3d – Return User
User Sign-in
Account Hacking (Q2 – Q4 2013)
48
49
1
NY Times, Wall St. J, Washington Post – reporters / employees ( Feb ‘13)
Twitter – 250,000 accts (Feb ‘13)
3
2
LinkedIn – 6,500,000 accts (Jun ‘12)
Facebook, GMail, Hotmail, Yahoo! – frequent user reports & anecdotes
5
Yahoo! Confidential and Proprietary 49
4 FB, Apple, MSFT – employee laptops hacked via “water hole” phishing @iphonedevsdk.com (Feb ‘13)
No One is Un-Hackable
50
Mobile / PC Web Login
Hacker
Steal cookies or passwords"
Malware (pwd)
Brute Force (pwd)
XSS (cookie)
Phishing (pwd)
Apps Login
Got"them" Spam"
My friends complain
spam from me? "
Mail POP/IMAP/SMTP
Biggest “Hole” No 2LC for
non-web apps
Smaller “hole” needs to be plugged too
Mass Breach (pwd)
Hacking & Spam – How?
51
1
2
Stolen ID & password (bigger issue)
a
Stolen login cookies (uncommon)
Vast % of accts hacked via stolen password - malware, third-party compromise, brute force, phishing
a XSS exploits receive media attention but contribute to a smaller % of accounts hacked
b Prevent cookies stolen via XSS by issuing “httponly” login cookies (T & F)
b Close loop holes – login API & Mail POP/IMAP/SMTP
Story – ID Hacking
Account Hacking (Q1 Q2-Q4 2013)
52
Stolen password (bigger issue)
Stolen cookie (smaller issue)
• 423K1 acct traps set daily for password reset
• Web login is protected by 2nd login challenge
• Login API (incl. mobile) is the “loophole” where hackers are coming in
• Login cha. API + mobile – 4/30 & 5/15 • Mail POP/IMAP/SMTP - 5/27
• Trap for partner hacked accts - Apr • Bcrypt encryption – Jul • App specific password - Sep • 2-factor auth mobile app – Nov • Real-time “ML” detection – Nov
• XSS exploits receives media attention but results in smaller % of accts compromised
• httponly flag in T / F cookies - 3/25
53
User to opt into 2nd Login Challenge
Login Alert Email
54
0
200000
400000
600000
800000
1000000
1200000
1400000
1600000
1800000
1.7M+ compromised by “Russian” hack
Mail anti-spam detection update
caught more
# of Identified Hacked IDs
55
-
50,000
100,000
150,000
200,000
250,000
300,000
350,000
400,000
450,000
Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar
All trapped
All trapped
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar
Cleared Rate
Cleared Rate
Avg Monthly Traps for Hacked IDs
Trap for Y! Acct Compromised
56
Trap for Partner Acct Compromised
57
User Sign-in
2nd Login Challenge UX (Q2-Q3 2013)
58
2nd Login Challenge (SMS) – 1, 2 of 6
59
2nd Login Challenge (SMS) – 3, 4.0 of 6
60
2nd Login Challenge (SMS) – 4.1, 5.0 of 6
61
2nd Login Challenge (SMS) – 5.2, 6 of 6
62
2nd Login Challenge (email) – 1, 2 of 6
63
2nd Login Challenge (email) – 3, 4 of 6
64
2nd Login Challenge (email) – 5, 6 of 6
65
2nd Login Challenge (Security Q) – 3.0, 3.1 of 4
66
Account Recovery
Flows, KPIs & UX
67
68
ID + CAPTCHA
tablet
PC method
?
244K (58%) 112K (50%)
2 security questions 46%
114K (27%) 83K (37%)
alt email address 73%
36K (9%) 28K (12%) 78% mobile phone
24K (6%) 1.6K (1%) 7% birthday, country, ZIP
1. id+CAPTCHA 538K (100%)
2. recovery methods 417K (78%)
3. done 225K (42%)
Flow & KPIs: Account Recovery
Acct Recovery (SMS) – 1, 2.0 of 6
69
Acct Recovery (SMS) – 2.1, 3 of 6
70
Acct Recovery (SMS) – 4.1, 4.2 of 6
71
Acct Recovery (SMS) – 4.3, 5.0 of 6
72
Acct Recovery (SMS) – 5.1, 6 of 6
73
Acct Recovery (security Qs)
74
Acct Recovery (AEA)
75
Q2 Goals
Executive Planning
76
77
Roadmap Goals GA Decisions Needed
Single Sign On (SSO) - Sign-In, Sign-Up, Acct Recovery, APIs
Jun þ
§ YID Reclamation Launch Aug § Confirm current
decisions
§ Simplify Sign-Up Aug § Birth date/gender § Mobile Sign-Up
§ YID Only Sign-In Nov § FB/Google EOL
§ Sign-Up Abuse Mitigation May § 1 or N accts per mobile
#
Mobile 2nd Sign-In Challenge May § Launch approval
COPPA Compliance Jul þ
BCrypt Rollout Jun þ
Goals & Decisions Needed
78
Goal Reclaim inactive IDs @Sign-Up on Jul 1 What? § 3.1B accounts in UDB (as of 5/7)
§ 1.5B inactive accounts eligible for ID reclamation § Inactivity period reduced from 18 to 12 mos § Daily deletion from 10M to 50M starting 7/1 § Mail forwarding treated as “inactive” (non-US only) § Mail forwarding in US available in Mail Plus ($19.99/yr)
Confirm #1 § Send PSA1 to account’s alternate email address (no mobile SMS) § User reading PSA in Y! Mail would mean account is active
Confirm #2 § Send PSA to 6 INTLs only – US, CA, AU, NZ, SG, IN § Per policy, notify impacted INTLs where Mail publicizes deletion policy of
“6 mos + 2 mos add’l for each year acct held” (i.e. >3-year old accts)
Confirm #3 § Accounts excluded from inactive deletion § Exclude broadband accounts (160M) § Exclude paid accounts – Flickr Pro, Mail Plus, Small Biz, Commerce
(377M) § Exclude Flickr (30M)
Confirm #4 § Continue daily deletion @10M and then to @50M starting Jul 1
ID Reclamation
79
Options #1 Collect @Sign-In Trap #2 Collect @Sign-Up
What? § Simplify Reg - collect birth date, gender, name @Sign-in N days or Y logins later
§ Collect birth date, gender, name @Sign-Up (Mobile & PC)
Pros § Sign-Up simplified (fewer fields)
§ Immediate usage – ad target, personalization, UH(name), Flickr(bd/name), TW eCommerce (bd/name/gender)
§ Wide user acceptance § COPPA1 upfront & simplified
Cons § Login hurdle / user annoyance
§ Properties2 need own asking § Users <13 special handling
§ Potential user drop-off
To-Dos § New Supp Reg trap § Mobile Sign-Up re-work
Simplify Sign-up
80
Goal Migrate FB/Google Users to Y! ID Paths
What? § Direct return users to (1) “Pick a Y! ID/pwd” or (2) “Sign in with Y! ID”
§ Direct new users to (1) Y! Sign-up or (2) Y! Sign-in § Remove FB/Google sign-in CTAs from Sign-Up &
Sign-In
To-Dos § Launch migration paths on Jul 1 § Work with properties (Homerun, GrandSlam) to
update in-property “Sign in FB” messaging / CTA § Work with Mktg / PR for broader messaging § EOL “Sign in FB/Google” CTAs
Confirmation § Start Jul 1 § EOL § Oct 31 (4 months)
YID Only Sign-in
81
Options #1 Migration Optional #2 Migration Mandatory
What? § Continual support for existing @ymail, @rocketmail, @y7mail, @kimo users
§ Migration to @yahoo.com1 optional
§ Migration to @yahoo.com1 mandatory
§ User owns existing & new domains for X months
§ EOL “legacy” domains after X
Pros § Users have choice § 1 single ID namespace § Standard @yahoo brand
Cons § Support for “legacy” domains
§ User attrition § Negative user sentiments
To-Dos § Build migration flows § Multi-address support
§ Build migration flows § Multi-address support § EOL announcement
Status § Migration pending Mail’s assessment & LOE scope § 13M @ymail & 5.1M @rocketmail monthly active users
(Apr)
Migration of @ymail Domain
Migration Plan - @ymail Domain
82
� 600K DAUs represent 0.6% of 103M Mail DAUs
� $3M / year at stake since each DAU is worth $5
� Current UX proposal
� If same [email protected] available, auto provision ID to user
� If same [email protected] unavailable, prompt user for new ID
� Support @yahoo.com & @ymail.com for 6 months
Users ymail rocketmail total
Active daily 467,959 151,053 619,012
Active last 30 days
13,144,615 5,132,821 18,277,436
All active accts 61,252,203 37,339,610 98,591,813
83
Options #1 “1-to-1” Link #2 “1-to-N” Link
What? § Allow same mobile # to be linked to 1 account
§ Allow same mobile # to be linked to N accounts
§ N = 3 (recommended)
Pros § Reduce abusive registration
§ Enforce 1 acct per user identity policy (Facebook)
§ Identify same person owning multiple accounts
§ Support multi-accts (Google)
Cons § Prohibit multi-account policy
§ Proliferate YIDs in @yahoo.com namespace
To-Dos § UX enforced § Legal/policy update to
align
§ SAME
Sign-up Anti-Abuse via Mobile #
84
Goal 2nd Login Challenge (2LC) on mobile web
What? § By default, sign-in from new device AND new country will require user to answer a security question or verify via the mobile phone or alt email on account
§ If user opted in feature, challenge would trigger when sign-in from new device alone
To-Dos § 04/29 Login API supports 2LC § 05/09 Mail IMAP/POP/SMTP auth migrates to Login
API § 05/15 2LC on mobile web login § 05/30 2LC in Accts SDK (native UX) § 05/30+ MEP drives Accts SDK across Daily Dozen
apps § Q3 – drive non-Y! apps (IMAP/POP clients) to handle
new API response or accept app-specific pwd
Confirmation § 05/15 launch on Y! mobile web login (non-native) § Iterate on mobile web UI to align with native 2LC UI
Mobile 2nd Login Challenge
85
Goal Deploy BCrypt hash for account password (Phase 1)
What? • UDB access control to ‘PW/PWI’ key for properties (5/15) • Mail migrates from RegAuth to Login API (5/10)
To-‐Dos Apr • 4/23 to 06/12 (Phase 1) – 150K accounts testing for BCrypt &
MD5 and then remove MD5 May • 05/15 – Tools for BCrypt monitoring and reports Jun • 06/17 to 07/31 (Phase 2) – 100% users on BCrypt and then
remove MD5
Status • þ On track • Driving properties to migrate to new UDB access control of ‘PW/
PWI’ keys by 5/22 (don’t impact Membership timeline) 5/15 • Jay re-iterated to L2 (email) to comply by 5/15
BCrypt Password Encryption
86
Goal Implement Single Sign On (SSO) for Membership by Jun 30
What? • New Acct Recovery & Flickr Forgot ID web UX • New Sign-Up web UX • New Sign-Up API for native UX implementation • New Acct Recovery API for na<ve UX implementa<on
To-‐Dos Apr • 04/22 GA Acct Recovery web UX in Acct SDK (Homerun), Mail iOS • 04/26 GA Flickr Forgot ID web UX May • 05/07 TBD GA Sign-Up web UX (GA deferred pending “birth date/
gender”) • 05/08 Reg API integration ready for MEP implementation • 05/17 Acct Recovery API integration ready for MEP
implementation • Late May GA Reg API for mobile Reg (native) Jun • Early Jun GA Acct Recovery API for mobile Acct Recovery (na<ve)
Status • þ On track • 5/10 – final design review of Sign-‐Up & Acct Recovery with Adam • 5/15 – final product review of Sign-Up & Acct Recovery with Adam • 5/17 – GA before Flickr’s 5/20 launch
Mobilize Membership UX
Next Steps
� Simplify Sign-Up � Collect birth date & gender @Sign-Up vs. @Sign-in trap � Enforce 1 mobile # linking to 1 vs. N account(s) � Require SMS verification on mobile Sign-Up � Set GA for mobile Sign-Up (5/7 was internal GA)
� Yahoo! ID Reclamation on 7/1 � Set FB/Google Sign-In EOL Oct 31
� 2nd Login Challenge UX on mobile web browser � Launch on 5/15 � Align web UI with native UI pending final design by MEP � Drive native apps to adopt/deploy 2LC integration
87
Q2 Goals
Executive Status
88
89
Goal (L2) Implement Single Sign On (SSO) for Membership by Jun 30
Goals (L3 & L4) • Deliver Login API and Creden<al Mgmt by 4/30
Owners • Membership (MBR): Shouvick, Andy W • Mobile & Emerging Products (MEP): Kirk L, Gautam G
Stakeholders • MEP, Daily Dozen Apps
Dependencies • MEP to drive its Acct SDK adop<on by 22 Daily Dozen apps (11 iOS / 11 Android)
Milestones Apr • 04/29 GA (int1) Login API for SSO, 2nd Login Challenge (2LC), Supp Reg, an<-‐bot May • 05/30: MEP Acct SDK to enable 2LC UX using MBR API Jun • early-‐Jun: MEP Acct SDK to enable SSO UX using MBR API
Status • MEP implemen<ng 2LC using new Login API • MEP committed Jun GA to deliver first 2LC & then SSO in its Acct SDK
Challenges • MEP to define/drive Acct SDK rollout aggressively for “Daily Dozen” apps since only 1 (Homerun) of 22 apps has adopted Acct SDK on 4/22. Mail, Sports, Fantasy, Flickr next.
SSO (1 of 2)
90
Goal (L2) Implement Single Sign On (SSO) for Membership by Jun 30
Goals (L3 & L4) • Deliver Acct Recovery & Flickr Forgot ID web UX in Apr & API in Jun • Deliver Sign-‐Up web UX & API in May
Owners • MBR: Shouvick, Andy W; MEP: Kirk Lieb, Gautam G
Stakeholders • MEP, Daily Dozen Apps
Dependencies • MEP to drive its Acct SDK adoption by 22 Daily Dozen apps (11 iOS / 11 Android)
Milestones Apr • 04/22 GA Acct Recovery web UX in Acct SDK (Homerun), Mail iOS • 04/26 GA Flickr Forgot ID web UX May • 05/07 GA (internal) Sign-Up web UX • 05/08 Reg API integration ready for MEP; GA in late May • 05/17 Acct Recovery API integration ready for MEP Jun • Early Jun -‐ Acct Recovery API GA
Status • Mobile Sign-‐Up public GA based on MEP’s Acct SDK update by Homerun • Will need to collect birth date/gender @Sign-‐Up or @Supp Reg trap (MM review 5/8) • Asking MEP to commit GA for na<ve Sign-‐Up & Acct Recovery UX deliverables (Fri 5/3)
Challenges • Mobile Sign-Up web UX launch date TBD pending e-staff decision on DoB/gender collection (Wed 5/8)
SSO (2 of 2)
91
Goal (L2) Reclaim inactive IDs on Registration Launch on Jul 1
Goals (L3 & L4) • Identify eligible inactive accounts by 5/15 • Develop “On Demand Account Reclamation” on Reg by 7/1
Owners • Membership: Shouvick, Andy Wu • SWAT: PMM (Rohit & Huong); PR (DJ & Kate); Care (Kieran); Policy (Sarah); CRM (Carolyn, Kurt); Mail
(Lovlesh)
Stakeholders • All properties (Mail), UDB, Mktg, PR, Care, Policy, CRM
Dependencies • Properties to use GUID/YUID based data indexing (NO YID based indexing)
Milestones Apr • Notify properties to use GUID/YUID based data indexing (to-date: no property impact) May • 05/03 daily account deletion increase from 4M to 15M (goal: 50M daily) • 05/08 final inactive accounts crawl (12-months of inactivity, no email forwarding) Jun • 05/31 “On Demand Acct Reclamation” @Sign-Up ready for internal E2E testing • 06/03 – 06/14 Email announcement to inactive accounts to “retain or lose” their YIDs • 06/03 – 06/30 PR & Mktg phase 1 (yodel blog, media outreach)
Status • Mktg/PR/Mail/Legal/Policy/CRM/Membership drafting service email, Mail account deactivation policy update, PR campaign phase 1
• ODAR @Sign-Up development in-progress
Challenges • þ On track as of Thu 5/2 SWAT team meeting
ID Reclamation
92
Goal Simplify Registration (PC) with collection of 5 user data
Goals (L3 & L4) • Simplify Reg with 5 user data collection – ID, pwd, mobile phone, Facebook, Twitter IDs • Abuse mitigation
Owners • Membership: Shouvick, Andy Wu
Stakeholders • Properties, Data/Insights, Ad Targeting, Marketing, Legal, Policy
Dependencies • e-staff to evaluate the impacts of not collecting birth date and gender
Milestones Apr • PRD, UI mocks, Eng design & scope • 5/2 GA remove @ymail, @rocketmail, @kimo (TW) & @y7mail (AU) email domains May • Development of simplified Reg Jun • Bucket test collection of Facebook ID as “required” vs. “optional” • 6/30 launch simplified Reg flow
Status • UX design & Eng design in-progress
Challenges • Team to decide collecting birth date/gender @Sign-Up vs. @Sign-in trap wrt to (1) Ad Targeting, (2) Analytics Reporting & Segmentation, (3) Personalization, (4) COPPA Compliance
Simplify Sign-up
93
Goal Support YID only auth – migrate FB/Google account users to YID
Goals (L3 & L4) • Develop PC and mobile migration flows for new & existing FB/Google auth’d users
Owners • Membership: Shouvick, Andy Wu
Stakeholders • Homerun, Grand Slam, Flickr, MEP, all current 3PA consuming properties
Dependencies • Properties (Homerun, Grand Slam, Flickr) to update their own hosted FB/Google sign-in CTAs (incl. contextual messaging to align with Membership’s migration flow) & remove their own hosted FB/Google sign-in CTA at the end of the migration period (Oct 2013)
Milestones Apr • PRD, Eng scope May • UI mocks, Eng development Jun • 6/30 launch FB/Google migration flows Nov • EOL FB/Google sign-in
Status • Advised Flickr on their 5/20 Android launch – route new FB/G users to Reg/Login while continue signing in returning FB/G users until MBR migration available
• Provide 3PA & YID Upgrade APIs for native app migration
Challenges • þ On track
Migrate FB / Google Users to YID
94
Goal (L2) Provide 2nd Login Challenge API and UX across Y! apps
Goals (L3 & L4) • Provide 2nd Login Challenge (2LC) API by 4/30 • Deliver 2nd Login Challenge (2LC) mobile web UX by 5/15
Owners • MBR: Shouvick, Andy W • MEP: Kirk L, Gautam G; Mail: Shiv Shankar; Messenger: John Dunning
Stakeholders • MEP, Mail IMAP/POP, Login API partners (Y! Messenger, RIM)
Dependencies • MEP/mobile apps, Mail IMAP/POP, client apps to integrate 2LC API or mobile web UX
Milestones Apr • 04/29 GA (internal1) Login API to support 2nd login challenge May • 05/09 Mail IMAP/POP/SMTP authentication migrate to Login API • 05/15 GA mobile 2nd Login Challenge web UX • 05/24 GA MEP Acct SDK to enable 2LC UX (native) using MBR Login API Jun • Drive adoption & rollout of 2LC across Y! apps (MEP, IMAP/POP, Messenger)
Status • Working with MEP, Mail, & Messenger teams to integrate 2LC within their apps • MEP committed late May GA on 2LC within its Acct SDK
Challenges • MEP to drive Daily Dozen apps to deploy MEP‘s Acct SDK with 2LC feature (60% Android & 50% iOS)
• Mail IMAP/POP & Messenger to commit GA dates on adopting/deploying 2LC
Mobile 2nd Login Challenge
95
Goal Enforce new COPPA compliance by Jul 1
Goals (L3 & L4)
• Develop COPPA Compliance - child instruction and parental consent trap pages
Owners • MBR: Shouvick, Andy W • Trust/Safety: Leslie Dunlap, Megan Cris<na
Stakeholders • Trust/Safety (Leslie D, Megan C), Care, Legal, Privacy
Dependencies • Trust/Safety to provide child trap instruction, COPPA consent & confirmation text
• Trust/Safety (with Care) to provide “Data Download” online help page
Milestones Apr • 04/29 PRD & plan May • 05/15 Trust/Safety to email children & parents wrt the new COPPA
Compliance Jun • 05/31 GA child trap and parental COPPA consent pages
Status • Dev in-progress • UED design pending
Challenges • þ On track -- Note 5/31 GA deadline is extremely aggressive
COPPA Compliance
96
Goal (L2) Deploy Phase 1 of Project Fuku (Bcrypt) for Account Password
Goals (L3 & L4) • Complete BCrypt functionality on Reg, Login, Acct Recovery services • Deploy Phase 1 rollout across Yahoo! properties
Owners • Membership: Shouvick, Ram Kordale
Stakeholders • UDB, Mail, AMT, PSI, and other properties
Dependencies • UDB to manage access rights to ‘PW/PWI’ key for properties (target GA: 5/15) • Mail to migrate from RegAuth to Login API (target GA: 5/10) – on track
Milestones Apr • 4/23 to 06/12 (Phase 1) – selected users for BCrypt & MD5 and then remove MD5 May • 05/15 – Tools for BCrypt monitoring and reports Jun • 06/17 to 07/31 (Phase 2) – 100% users on BCrypt and then remove MD5
Status • Phase 1 WIP - deployed 150K accts to Bcrypt and MD5 • Monitoring and reports scripts deployed - getting daily stats and reports • Mail asking token login API to ignore SHF trapped accts for IMAP/POP clients
Challenges • þ On track -- Driving properties to migrate to new UDB access rights (of ‘PW/PWI’ keys) by 5/15 is “yellow” – Jay re-iterated to L2 (email) to comply by 5/15.
Bcrypt Password Encryption
