FxA OKRs for Q3 (was Re: London Planning Recap)

Ryan Kelly rfkelly at mozilla.com
Tue Jun 21 06:39:40 UTC 2016 

Thanks Sean, a great summary!

I want to take the opportunity to highlight a couple of additional
things, and to summarize the items in terms of the Outcomes and Key
Results framework.

We still have a little time left in Q2, and we need to focus on the
following items in order to set ourselves up for success in Q3:

* Shipping and validating the sign-in confirmation feature

* Shipping the first round of UX features to improve password strength

* Completing our work on the KPI metrics dashboards

With those under our belt, here's my attempted summary of the three
important outcomes that we settled in for Q3, and the key results by
which we can measure our success:

1) Ensure parity with industry standard account security measures:

Key Results:
  * Ship the following user-facing security features:
     * Lock access to an account after many failed login attempts.
     * Block IPs that appear on validated third-party blocklists.
     * Use email confirmation as a “captcha” to avoid customs blocks.
     * Include location information in signin notification emails.
     * Avoid sending signin confirmation emails to known IPs.
     * 2FA for login prototyped and running in our dev environment.
  * Update nodejs and all our direct package dependencies to their
    latest stable release versions.
  * Get all databases running in strict mode, with proper handling of
    high unicode characters.
  * Regress the login completion rate no more than 2% as new security
    features are shipped.

2) Understand and improve the login flow:

Key Results:
  * Build and ship login funnel graphs, showing completion rate and
    time taken to complete each step of the login flow.
  * Identify the 5 most common causes of failed login flows.
  * Reduce median time-to-successful-login by 5%.

3) Prepare for the multi-client future:

Key Results:
  * Allow users to view and disconnect all things that have access to
    their data through FxA, including devices, mobile apps, and web
    services.
  * Prototype OAuth-mediated access to sync data, by building a
    web-based bookmark viewer.


Did I miss anything critical?  (Noting that I rolled the node and db
upgrades into the security outcome because they're highly security driven).

This does indeed seem like a lot of things for a single quarter, but
part of the idea here is very much to challenge ourselves with ambitious
goals rather than setting out things that we know we can 100% complete.
I'm confident we can make a real dent in all three outcomes over the
course of Q3.


  Cheers,

    Ryan


On 21/06/2016 02:15, Sean McArthur wrote:
> It's always reinvigorating seeing everyone. Thanks to all who could make it!
> 
> I wanted to recap what seemed like the priorities we ended with during
> our Friday planning meeting
> <https://docs.google.com/a/mozilla.com/document/d/1rAJ9Sm2QPKZPOBleqTBEGevLExMPHQvTXngASr4n3IM/edit?usp=sharing>.
> 
> *First priority is to ship "signin confirmation".* We're close. This is
> the biggest impact we can make to improve security for our users. Let's
> secure them.
> 
> Afterwards:
> 
>   * Security
>       o IP blocklist
>       o Send less sign-in confirmation emails based on IP history
>           + Should reduce frustration for a majority of users
>             <https://sql.telemetry.mozilla.org/queries/526#878>
>       o E-mail "captcha"
>           + Provide UX and a link to override rate limiting
>           + Uses sign-in confirmation, with altered copy
>       o Location data in sign-in confirmation email
>           + "Please confirm your sign-in attempt from Mountain View, USA"
>       o 3rd-party security audit
>   * UX
>       o Measure more things
>           + Big number / graph to see each week
>               # Mean (median?) page load
>               # 95th% page load
>           + Time "connecting" assets
>               # To know how much http2 would save
>           + Time from firstrun to sigin form usable
>       o Conditionally load crypto
>           + Load while user is filling out form
>           + Remove assertions entirely (!)
>               # requires coordination with oauth server to accept
>                 sessionTokens
>   * OAuth for Context Graph
>       o "Disconnect" an oauth token (devices and services)
>       o OAuth API for Sync
>   * Quality
>       o nodejs 4.0 LTS
>           + 0.10 EOL is October <https://github.com/nodejs/LTS#lts_schedule>
>           + All repos pass tests on 4.0
>           + Docker makes this easier, but dockerization may take too long
>       o utf8mb4
>           + In place change
>           + Since we've been truncating anyways, the change should Just
>             Work™
>           + Stored procedures will need it separately
> 
> Did I get everything? Did I properly describe everything? Is this really
> all for Q3? This looks like a lot, more likely for a "rest of the year"
> type thing.
> 
> If this looks right, next step is to make sure we have features in Aha!,
> and issues filed for each piece.
> 
> 
> _______________________________________________
> Dev-fxacct mailing list
> Dev-fxacct at mozilla.org
> https://mail.mozilla.org/listinfo/dev-fxacct
>

More information about the Dev-fxacct mailing list