[kcdc 2025] 82 bugs i collected in a year you won’t believe made it to production

Posted on by
Reply

Speaker: Francois Martin

For more see the table of contents

General

  • Collected 382 bugs over 2 years

Bugs

  • Shows places where the accent mark in his name was handled incorrectly
  • Lorem ipsum on website instead of text
  • Ship date 12/31/69 – default time in a different timezone so converted
  • Get it before gone – 0 available
  • All items in pull down are “Object”
  • “null” displayed instead of value
  • Undefined/NaN instead of number
  • Emails missing
  • Everything in English and terms and conditions link in French
  • Dark mode changes background but not text so black on black
  • Viewing 42 of 38
  • 18 of 0 products found
  • Merge first and middle name into first name
  • Clicking + goes from 0 to 1 to 2 to 0 to 3.00000000000000004
  • AI bug – said thought looking for something unrelated
  • Lack to HTML entity decoding
  • Character encoding issues
  • @fmartin_ fails validation. It wasn’t the underscore, Couldn’t get it to be valid even without.
  • Lack of responsiveness; text overlays, menu cutoff
  • Glitching – various things that go away on refresh
  • Placeholders not replaced
  • Unfiltered error message. User shouldn’t/doesn’t need the back end message
  • “2 guest” instead of “2 guests”
  • Text keys instead of translated value
  • Text keys flash and translate a few seconds later. SSR (server side rendering) solves this.
  • Incorrect/missing info

General

  • Defect – imperfection or deficiency where it does not meet requirements or impairs its intended use
  • ex: expose info that shouldn’t. not clear what to do, instructions don’t work
  • Reproducibility doesn’t matter. Once is enough
  • Found more bugs since June. Maybe because of vibe coding?
  • Most bugs are UI. Logic, error handling came in next
  • Of the critical/blockers, data validation and error handling had most bugs

To prevent

  • webdriver.io good for testing mobile
  • end to end testing
  • dog fooding – use the product yourself
  • exploratory testing – experts can find lots of bugs in short time
  • heat map visualization – see where clicks are. dead clicks (click an element and nothing happens. Rage clicks (repeated clicks out of frustration and nothing happens)
  • Turn off stack traces in prod. Only show specific messages
  • Prevent SQL injection and XSS
  • Test in all the languages you support

My take

The session began with a guest – 30 seconds accordion song about bugs and service pack 2. Relaxing and fun; great timing as last session of the day. I enjoyed seeing the examples and also the analysis/statistics about categories of bugs.

[kcdc 2025] designing for behavioral change – the science behind habit-forming products

Posted on by
Reply

Speaker: Preston Chandler

For more see the table of contents

General

  • Why do some products become second nature while others are forgotten – valuable, fun, etc

Habit Loop

  • Cue -> Response -> Reward
  • If you put a golf ball near a nest, a goose will pull it into nest. Maximizes number of chicks from when egg rolls out of nest

Hook Model

  • Trigger -> Action -> Variable reward -> investment
  • Investment can be effort/time/money
  • Consultants expensive. If free, wouldn’t care about. “That was just $100 of advice”
  • Variable rewards are more appealing than predictable ones. ex: gambling
  • Some things need to be predictable – ex: excel formula

B=MAP

  • behavior = motivation * ability * prompt
  • Cathedral in Milan – had to sign up for entry with a QR code. Prompt was QR code. Motivated to get in. Couldn’t get website to work after 20-30 minutes

Effort vs Reward

  • Amazon – easy – buy now button, reward by getting stuff faster, microtransactions, made easy for you to give them money.
  • Tiktok – easy – just scroll down and get gratification. Variable reward; not every video good. Also dark pattern.
  • US Treasury – hard. Keyboard where click each letter and not in order. Changed since
  • hard website – abandon
  • AT&T – expensive. Negative reward compared to others. 8 hours to leave service. Multiple calls to customer service. People will never go back if left dissatisfied
  • Rewards – money, time, scrolling motivation
  • Checklists motivate most people, satisfaction of moving as done
  • Line of sight goals are motivating. Ex: daily goals, gold coins
  • Different people motivated by different things

Dark Patterns

  • Sign up for newsletter and get 30% in
  • Confusing radio buttons on whether to opt in
  • Link with very little contrast to background so can barely see
  • Company and user incentives not aligned

Voice Assistant

  • Use for music, timer, shopping
  • Sticky because personalizable to you

DuoLingo

  • Motivated to keep streak alive. Child said didn’t have enough time to finish homework. Said ok because went zoo. But wanted to keep streak
  • Easy to pick up, don’t need a lot of time
  • Bird will look angry and shame you – dark pattern
  • Constantly upselling – dark pattern

Exercise

  • For trigger clarity, action simplicity, reward value and investment payoff, think about obstacle today and how make better

Other

  • Behavior is deisgnable – ex: clear trigger, low effort
  • Ethics = engagement + trust
  • Small changes can have a big impact. If hose squished, have a constraint and hardly any water goes though. Must fix that to improve

Playbook

  • Identify internal/external triggers
  • Minimize friction, simplify first action
  • Offer variable rewards tied to meaning
  • Encourage invementment, effort builds attachment
  • Align outcomes with user values

Creativity

  • Chore Kanban
  • Have ChatGPT make budget a Shakespearean sonnet

My take

Great examples to understand ideas. Fun examples

[kcdc 2025] Passkeys: The end of Passwords and the Future of Authentication

Posted on by
Reply

Speaker: Mateusz Zajac

For more see the table of contents

General

  • Don’t need complex passwords
  • Phishing proof
  • Public key crypto _ biometrics
  • One tap sign in
  • Secure
  • Fewer breaches
  • Simpler flows
  • Lower support costs – fewer password resets/tickets
  • Lower fraud – starting to move to customer facing apps like travel. Not just finance
  • 1 billion people use daily

Problems with passwords

  • Easy to guess/steal
  • Phishing
  • Credential stuffing – if one account falls, others follow
  • Server breaches. Most common attack
  • Users have to keep track

Passwords vs Passkeys

  • Passkeys auto generates. Passwords type twice.
  • Passkeys can use face id
  • Passkeys don’t require reset. Password reset flow has many steps. Including memorable but different than last batch of passwords. 57% users forgot password after reseting. 30-40% help desk calls password reset related
  • 81% breaches involve compromised credentials
  • 51% of people reuse password
  • 2.5 million passwords stolen each week
  • Passkeys synced via iCloud
  • 92% users give up and don’t try to reset
  • 400 million google accounts use

2FA

  • SMS phishable
  • Push fatigue where keep getting notification until give in and click

Passkey

  • Pair of keys
  • Private key on your device
  • Private key kept safe
  • Phone creates a sharing key
  • Website sends challenge need secret key to solve
  • Use face id and solves
  • Sign ins are four times faster than passwords

Amazon login example

  • One time setup – your device creates a private/public key pair. Amazon stores public key
  • When try to login, Amazon sends a cryptographic challenge. This avoids replay attacks.
  • Your phone uses Face ID to confirm it is you. Then phone has private key sign the challenge and sends to Amazon. Amazon authenticates

Phishing prevention

  • Scammer tries with fake sight
  • Your phone refuses to sign because domain is wrong

iOS Code

  • WebAuthn
  • FIDO2 – gets url, challenge size, etc

Cross Device Sign in

  • Websitte generates QR code
  • Scan with phone. Uses bluetooth to verify physical proximity
  • Single use
  • Expires quickly
  • Private key never leaves device
  • Useful if want to log in from someone else’s computer

Challenge

  • If lose phone
  • Cross platform sync
  • Inconsistent browser support
  • Human factors – trust, education

Good references

  • w3c.org/TR/webauthn
  • fidoalliance.org
  • developer.apple.com/passkeys
  • etc

Informal Q&A

  • Two people had facial recognition not work
  • External device

My take

Great comparison and great statistics.