e-Houwiya's MobileID is Tunisia's government-backed identity platform. MobileId seems to have been implemented not by the government but by a third-party called Sirat.

Preface

I think MobileId is a step in the right direction.

My belief is that eHouwiya's reliance on SMS verification opens the system to more than a few vulnerabilities that simply cannot be addressed unless they exchange it with a more secure verification layer (like TOTP or hardware key verification).

Nevertheless, my beliefs on the security implementation are the topic of another day, today I want to focus solely on MobileId's misguided UX which makes the service extremely painful to use day-to-day.

What we expect

1. The ability to copy and paste form input:

   • Password managers extensions should not fail to automatically insert your login credentials. Resorting to quirks because of a poor implementation is still poor UX.
   • A user should have no problem trying to paste their credentials from an external password manager (one they've installed outside of their browser)

2. The ability to manipulate the form without breaking common user access (CUA) conventions:

   • Tabbing through the inputs should work, reverse-tabbing should also work, no matter what
3. Form validation should prevent you from entering prohibited characters:
4. Resending the verification SMS should not reset all user input.

What we get

MobileId fails on every account with regards to my own personal expectations of what it should provide as a tool that I'm supposed to use every day.

Let's run through those expectations to understand what I mean:

• You cannot copy and paste data into the form: the reason for this is because the form has been split into 10 individual input fields... Seriously? Why?

  • You use a password manager to stay safe? Think again.

• You didn't receive your SMS? Too bad, re-enter all your credentials.

• You cannot rely on the conventions of common user access to navigate the fields

  • Reverse-tabbing (Shift+Tab) doesn't work when the preceeding field contains a character
  • You cannot use your arrow keys to navigate between every digit
  • MobileId's form logic is, as of the date of publication, around 400 lines of JavaScript (embedded directly in the HTML document), 90 of those lines are spent reimplementing what HTML natively provides in one simple and effective attribute, i.e. <input type="number">
• MobileId only uses digits but the form still lets you to enter symbols and alphabetical characters

What now?

I hope someone from Sirat, TunTrust or whomever's managing the project sees this post and views it as suggestions for improving the service for everyone using it. I'd love to see MobileId integrated in more and more government services as it makes my life a lot easier. One could only hope.