"User accounts" in the security sense, maybe isn't the right abstraction.
Have you tried logging in with multiple accounts on a Nintendo Switch? You're sort of just logged into all of them at once; and when you launch a given app/game, it asks you which profile you want to launch it under.
To me, that'd be the perfect multi-user experience for iPad. Any user can unlock it with their own biometrics/credentials; once unlocked, that user can then act as any user that has a profile on the device.
When would you select user? The ipad is designed to swap between apps way more frequently than you swap games on the switch. If you have to select user every time you swap apps on the ipad, it would be horribly annoying.
Probably only as a double-check if the iPad detects that it's been handed to a different person without being locked. In most cases you'd want to continue under the assumption that the user who unlocked the device wants to open things as themselves.
Mind you, the Switch has to do user-switching only at app startup time, because it's an effectively single-tasking OS. Given that you can be running tons of apps (and instances of apps) at the same time on an iPad, there are many other UI possibilities that synergize with an explicit user-chooser. Examples:
- You know the app groups in the new macOS/iPadOS? Imagine a user profile as an app-group-group (in iOS) or a group of spaces (in macOS.) Do the slow-swipe-up-from-the-bottom thing again when you're already in the app chooser, and you get the profile chooser.
- Some gesture you can do while in an app, that means "give me this same app, but viewed as a different user" — which is like a retroactive version of the Switch user-chooser thing. If other users already had the same app open, it'd work like Expose/Mission Control for seeing what their instance of the app looks like. And, as an optimization, apps that detect that you've user-switched away from them soon after launch, when they're still in their toplevel view, could take that as a signal to quit (as they'd assume that you just meant to open the app as a different user.)
> Probably only as a double-check if the iPad detects that it's been handed to a different person without being locked.
Huh? How would the ipad detect that?
> - Some gesture you can do while in an app, that means "give me this same app, but viewed as a different user" — which is like a retroactive version of the Switch user-chooser thing
That sounds horribly confusing and complicated. And it doesn't even address the security problem where you don't want other users to see your stuff. (Eg, my kids shouldn't see notifications for me, or be able to read my email).
I agree that its possible (its software, anything is possible). But I think it would take serious design work to implement user switching like you're proposing in a way thats not horribly complicated.
Probably the easiest way to do it would be at the unlock screen. Have the user lock their ipad then unlock it as a different user via a different profile attached to the fingerprint sensor.
Ambient accelerometer data (like is used in the Apple Watch for car-crash detection et al) triggering a background FaceID scan when the movement subsides.
> And it doesn't even address the security problem where you don't want other users to see your stuff. (Eg, my kids shouldn't see notifications for me, or be able to read my email).
Think of this sort of setup as a kiosk device — like a library computer. If accounts were allowed to be persistently signed into the device at all, then it would be in a low-integrity way, where you wouldn't be able to access your email et al through the device. Instead, the only things that would sync would be things that "don't matter" to expose to others: preferences, [non-private-browsing] history, game saves, etc.
The point wouldn't be to allow a whole family to share one iDevice for all their personal information management needs. You — and anyone else that has PII to manage — would still need a personal iPhone for that.
The point, instead, would be to have something like a game console, or a streaming box, or an eBook reader — the superset of all of those. Something for everyone in a family to just pass around to do "general family stuff" with games, books, music, movies, etc; without needing to worry about security. But, crucially, while still able to have "their own" bookmarked pages in books, watched episodes in TV shows, game saves, music playlists, and so forth; where that stuff does sync from their profile on this shared device, to any personal devices they also own.
You probably won't see the concrete use-case, if you don't have multiple children. None of them has any PII to manage, but they certainly do want their own open tabs and game saves, and protection from their siblings accidentally stomping over those.
> Probably the easiest way to do it would be at the unlock screen. Have the user lock their ipad then unlock it as a different user via a different profile attached to the fingerprint sensor.
iPads don't have fingerprint sensors. Also, you're expecting a lot out of children (again, the central point of this) to re-lock the device (just to unlock it again) after taking it from their sibling. My impression is that they'd see something they want to do and just start trying to do it. The ideal here would be to automatically switch profiles when this happens, such that they seamlessly get the same app, but with state recorded for their profile, rather than their sibling's.
Yes they do. My ipad air from last year certainly does. (And its missing Face ID).
> The ideal here would be to automatically switch profiles when this happens, such that they seamlessly get the same app, but with state recorded for their profile, rather than their sibling's.
Sounds like a version 2 feature for user switching. If I were apple and I cared about this, I'd release a simpler version first and wait for feedback.
I hear what you're looking for. I really do. I just think its very complicated to get the interaction you're looking for right. If FaceID started doing its thing every time I handle my iPad, it would be scanning basically all the time.
> If FaceID started doing its thing every time I handle my iPad
I mean, it already kind of does (on iPhones at least, don't know about iPads) — ever notice that the screen will automatically come on when you pick up the device and tilt it to a certain angle, but only if you're looking at it?
Mind you, that's a trigger from sleep. But you could just as well have one that's a trigger "from stillness" — i.e. when the device hasn't moved in a while, and then it does.
I believe a few months ago HN comments were riffing on a hypothetical "persistent background authentication" system Apple could be developing that would justify their disinterest in bringing back TouchID for iPhones. It would basically work by using every sensor available to try to constantly determine whether the same person that previously unlocked the device, was in continuous physical possession of the device. As long as that was true, the device would remain unlocked (rather than there being any kind of lock-during-sleep timer.) But as soon as the device was passed to someone else, or taken out and left on a table, all authentication would be discarded. (It wouldn't necessarily "lock" in the sense of taking you to the lock screen as soon as you place your phone on a table — you might want to show someone a cat photo, after all — but it'd at least temporarily assume a low-integrity kiosk mode for that app, becoming "locked underneath", in the same way that the photos app viewed from the camera app accessed from the lock screen is low-integrity + "locked underneath.") This would mean that any authentication that is required could take a lot longer / be a lot more thorough — because the most common kind of auth, the "incremental re-authentication" when you take your phone out of your pocket for a second — would no longer exist.
I feel like this kind of thing is totally possible — even plausible/practical — given Apple's fondness for developing low-power sensor-tracking ASICs for the Apple Watch et al.
> If I were apple and I cared about this, I'd release a simpler version first and wait for feedback.
Apple doesn't really do this; they seem to try to "get UX right the first time", in the sense that they'll never really make a UX iteratively better, only ever completely throw a UX away and then create an entirely new UX that's a-bit-more-than-iteratively better, with an entirely different name and branding (E.g. Exposé → Mission Control.) — presumably so that users don't think it's the old thing, try to use it like the old thing, and fail.
But, mind you — the Apple TV's tvOS already has "user profiles" and "user switching" in exactly the "V1" way you're describing! (https://support.apple.com/en-ca/guide/tv/atvb59ec8e2e/tvos) tvOS doesn't do any kind of automatic switching; it only allows for explicit switching.
So, conveniently, the code for most of this logic is already there in the iOS codebase. It'd just need to be adapted to the iPad's UX; and some annotations added to apps to mark them as "allowed in low-integrity mode" or not, where apps that aren't "allowed in low-integrity mode" apps — i.e. "requires high-integrity" apps — should never be allowed to be run/installed on an iPad set up for sharing (just like "requires high-integrity" apps aren't allowed to be published at all for tvOS to begin with.)
