Identity confirmation using PIN to decrypt previously issued token

I am building an app (for web and mobile) that requires a user pass two stages of authentication/authorisation in order to access a server-side API and subsequently use the app. First, they must supply valid credentials (username/password). Second, they must meet a series of variable criteria, for example the current time being within a defined range.

I am planning to implement this through the use of two tokens:

  • A long-term, randomly generated, opaque session token
  • A short-lived JWT authorisation token, with self-contained user and expiry data

On the client side, the presence of the session token would allow the user to skip re-entering their (hopefully long and complex) username/password. On the server side, a valid session token would be required to issue an authorisation token, and a valid authorisation token would be required to access the API.

While the goal of the session token is to simplify access (particularly on mobile devices) by removing the need to enter full username/password, I would prefer the user still re-confirm their identity before a new authorisation token is issued. A shorter numeric PIN (or potentially a fingerprint/face scan on supported devices) could allow this.

However, storing such a PIN along with the user’s other data on the server would require full management facilities, as with their password (“I forgot my PIN”). To avoid this overhead, I am thinking about the following approach.

On initial login (no known session token):

  • Ask for and submit username, password, and PIN.
  • If username/password are valid, generate the session token.
  • Encrypt the session token under a key derived from a server-known secret plus the submitted PIN.
  • Return the encrypted session token to the client.

On subsequent login (known session token):

  • Ask for PIN.
  • Submit PIN and encrypted session token.
  • Decrypt the session token, using the submitted PIN, and compare the result to that stored on the server.
  • If the decrypted session token matches a valid session, the user has confirmed their identity and an authorisation token can be issued.

In my mind, this allows a simple “identity confirmation” step with little overhead. The user can reset their PIN at any time simply by fully logging out and logging back in again, choosing a new PIN. And while the PIN is short and simple, it is combined with a server-known secret in order to derive the encryption key, so an offline brute-force of the encrypted session token should be extremely difficult. And server-side use of a slow key derivation function, rate limiting, and lockouts on failed attempts should mitigate online attacks on the PIN.

So my question is: is my thinking correct? Is this a secure way to achieve my goal?

Closing app via keyboard shortcut — should there be a confirmation dialogue?

There are many ways to close apps: mouse-and-click on an ‘x’ somewhere, choose “Quit” as a menu option, keyboard shortcuts (ctrl-w, cmd-q, alt-f4 etc.)

I notice some apps I use ask me “Are you sure you want to exit?” when I try to close them.

What are the UX guidelines as to when there should be an “Are you sure you want to exit?” confirmation dialogue?

How to uninstall Citrix Receiver package with confirmation

I am trying to run a command line task on a HP thin Client to uninstall citrix receiver.

The task runs the below command on the client.

sudo apt-get –purge remove -y icaclient-term

it shows it has completed successfully but when I check I can see the receiver is still installed.

On x-terminal I can successfully uninstall by just running sudo apt-get –purge remove icaclient-term

What is the correct command to unsintall with a confirmation when prompted for y/n?

Best place to show a confirmation modal in a purchase flow

So, I’m working on an insurance ecommerce and would like to get input on where to show a confirmation modal. Let’s say I am in the summary page, and there’s a “Change Plan” button to choose another plan. I have to options where to show the confirmation modal

Option 1. Once the user clicks the “Change button”, s/he is redirected to the Plans Page. And right after the user clicks the “I want this plan” button to commit the change, show the modal.

Option 2. Show the modal in the Summary Page right after the user clicks the “Change Plan” button. And then redirect the user to the Plan Page.

I feel option 1 works better as the modal is shown right before committing the change, but option 2 can work as well. Any feedback is appreciated.

Prototype that shows both options

Move a group of files, prompting the user for confirmation for every file

System: Ubuntu MATE 18.04.

I have a collection of files (in multiple directories in a directory structure) and I want to move many of them to another directory. I can tell which files I want to move by their names (they are recipe titles), but there is no other way to distinguish between files I do want to move and files I don’t want to move; I need to make a decision for every file by examining the name myself.

So, I am running a command once for each file I want to move, like

mv Snacks/OkaraCrackers NeedsTesting/ mv Snacks/SunflowerBrittle NeedsTesting/ mv Treats/ChocolateChilliFudge NeedsTesting/ mv Treats/PecanBlondies NeedsTesting/ 

Even with tab completion this is toooo much typing. What I really want to do is something like

shopt -s globstar mv --prompt-me-for-every-file ** NeedsTesting/ 

So I can just press y or n for each file.

How can I move a group of files and be prompted for confirmation for every file?

Confirmation Pattern deleting a comment in Google Suite


I would like information about the current pattern to delete a comment from an app of the Google Suite.

Where and How to find it

Remove a comment made in Google Docs, Google Sheets, etc.

Google Sheet Confirmation Dialog. It says "Delete this comment thread?" with two buttons (Delete and Cancel)


  1. What’s the name for this mini-modal window that Google is using for removing comments?

  2. What’s the benefits of use this instead of a modal window? and when we should use one over the other??


My guess is that they are looking for a way to have the confirmation UI closer to the action button (Fitts’s Law). But, certainly I don’t know.

Prestashop Añadir día de la semana subject Order Confirmation

Prestashop Estoy intentando incluir en el subject del email que recibe el admin cuando hay un pedido nuevo el día de la semana que es en ese momento pero no consigo que funcione. Por ejemplo yo quiero recibir como admin en el subject esto:

Oscar Cuenca, New order : #4524 – YKSUCKDON – Lunes

Esto es porque estoy usando un CRM y me interesa que el email que recibo ponga el día actual de la semana en que el email se ha creado. Lo que hago es esto: Añado las variables:

$  fecha = array("domingo","lunes","martes","miércoles","jueves","viernes","sábado");     $  dia = $  fecha[date("w")]; 

En el archivo mailalerts.php, linea aprox 254

public function hookActionValidateOrder($  params) {     if (!$  this->merchant_order || empty($  this->merchant_mails))         return;      // Getting differents vars     $  context = Context::getContext();     $  id_lang = (int)$  context->language->id;     $  id_shop = (int)$  context->shop->id;     $  currency = $  params['currency'];     $  order = $  params['order'];     $  fecha = array("domingo","lunes","martes","miércoles","jueves","viernes","sábado");     $  dia = $  fecha[date("w")];     $  customer = $  params['customer'];     $  configuration = Configuration::getM........ 

Una vez hecho esto, en este mismo archivo aprox línea 466 en la funcion Mail::Send

 Mail::Send(                  $  mail_id_lang,                 'new_order',                 sprintf(Mail::l($  customer->lastname.', '.'New order : #%d - %s'.', '.$  dia, $  mail_id_lang), $  order->id, $  order->reference),                 $  template_vars,                 $  merchant_mail,                 null,                 $  customer->email,                 $  configuration['PS_SHOP_NAME'],                 null,                 null,                 $  dir_mail,                 null,                 $  id_shop             ); 

Hecho esto, no causa ningún efecto. Sigo recibiendo el mismo subject:

Oscar Cuenca, New order : #4524 – YKSUCKDON

Sin el día de la semana.