Feature: Ease of access vs security
    In order to authenticate as quickly and as easy as possible, 
    taking security into considation, as a customer, I want to
    a) control for the username:
    - its min (1) and max (12) length
    - if its numeric only or alphanumeric
    b) control for the password (or PIN, depending):
    - its min (4) and max (12) length
    - if its numeric only or alphanumeric
    - if it can expire and the days before it expires (0-365)
    - how many times you can attempt and fail before the account gets locked for 30sec 
    - number of new unique passwords that have to be used before an old password can be reused 
    - if a password is required at all
    c) associates to change a password after a manager sets it

    Scenario: Sign in with ease
        Given the min, max, and numeric-only have been configured
        When the associate tries to sign in
        Then the fields are limited in length to min and max
        And if they are numeric-only you can only enter numbers

    Scenario: Show a numpad instead of a keyboard
        Expect for when you dont ask for a password at all

        Given both username and password are set to numeric only
        When the associate tries to sign in
        Then they get a always visible numpad instead of a full-fledged keyboard

    # backlog: needed for hospitality, not for retail - so we leave it for now
    Scenario: No password required
        Given the customer allows that
        Then our UI will block it, cause its a required field

    Scenario: Password expired
        Given the associate's password is expired
        When they try to sign in
        Then they are informed that the password is expired
        And that they need to enter a new one before they can continue
        And they are asked to enter the old one
        And they are asked to enter a new one
        When they enter matching passwords
        And they fit the policy
        Then their password is changed
        And they are informed about that
        And they are sent back to device sign in

    Scenario: Password must change
        Same as expired just a different message

    Scenario: New password does not match policy
        Given the associate tried to sign in
        And is asked to set a new password
        When the new password does not match the configured policy
        Then they are informed about it
        And they cannot set it