Last November, my mom, as she passed me her phone, told me that Grandmom had been hacked. "Go help," she said.
Several minutes and one intense interrogation later, I learned that Grandmom had read an email stating that her credit card had been hacked and that she needed to reset it immediately. I thought this smelled a bit phishy. "Who was the email from?" I asked.
"I don't know. I don't have it," Grandmom replied.
Uh oh. Time for an over-the-phone debugging session.
Slowly, we navigated to her inbox. Slowly, we found the search bar. Nope, not that one. The smaller one inside the page. The page? Yeah, like the specific website, not the browser. Browser? Yeah, you know like the thing you use to go to the internet? Oh, Google. Sure, yeah. But do you see the search box right above the list of emails? There's nothing to the right, just something on top. Yes.
We searched for "hack", "credit card", and "reset". The email wasn't there. Maybe it was archived. We went to the archive. Nothing. Maybe it was deleted? Nope. Spam? No, Pam hasn't emailed me in years.
Things weren't going well. "You know what," I said, "how about I log in to your email so I can look for it myself?"
She thought that was a swell idea. Okay, what's your email? Got it. And what's your password? A password? No, I don't have one. You must have a password. How do you sign in to your email? It's just there. But what if you get a new computer? You must have had a password at some point. No, I just open Google and it's there.
I hadn't the phone back to my mom. "Tell her she's been hacked and can't access the internet anymore."
Keeping users logged in indefinitely may reduce friction in accessing your service, but might convince them that they don't have a password.
No matter how much you fine-tune your UX, your website is inherently hostile to certain users. Grandmom doesn't care how good your search autocomplete is. She's typing in the wrong window.
The only part of this that would be solved by web3 is that if you added Grandmom to the blockchain, all her assets would actually be stolen and no one would bother with sending her phishing emails anymore.