another instance of security versus usability

  • Article

Last weekend, when I logged in to my bank's website to pay my bills, I discovered that they have added a new security feature. Now, if they think that a login is potentially fraudulent (even if I type my password correctly!), they'll ask one of three secret questions. I had to select the secret questions and give their answers. This turned out to be a usability nightmare.

This is another one of those messy intersections between security and usability. I've written about one of these intersections earlier, specifically about Entourage not automatically downloading images from the email you receive. Security, in this case in the form of authentication, is difficult. I have approximately eleventy billion passwords to remember. What happens when I forget my password? In the interests of usability and reducing calls to tech support, many places have given us the curse of the secret question. I'm not going to go into the security issues associated with the use of the secret question, that's someone else's blog post. But I will discuss the usability issues associated with using secret questions.

Once upon a time, there was only one secret question: what's your mother's maiden name? I'm not sure why there are more secret questions now. One potential reason is that there's a significant chance that the user has the same last name as their mother's so-called maiden name. But the new list of secret questions is horrible. Either I can't answer them because I don't remember the answer or one doesn't exist, or my answer doesn't fall within their parameters.

Let's take a look at some common secret questions.

  • Someone's middle name (mother's, father's, sibling's) -- I don't have any siblings (my parents realised what a mistake they'd made and stopped before it got any worse). On my bank's website, there's an additional requirement that any answer be six characters or longer. My mother's middle name is four characters. This isn't uncommon. The current list of most popular baby names (according to the US Social Security Administration) includes Jacob, Ethan, Emily, Emma, and Ava. Add in other perennial favourites such as Peter, David, Lynn, and June. The problem exists in the other direction, too: if there's a maximum limit, long names like Fitzpatrick could be either not accepted or unknowingly truncated.
  • High school mascot -- This, like many other secret questions, is a rather American-centric question. Schools outside of America, from primary all the way through university, don't have mascots. My bank does business in Silicon Valley, with its high percentage of recent immigrants, so I was surprised that they had a question that so many users wouldn't be able to answer.
  • Pet's name -- My cat's name is Tipsy. He's 14. He's not going to live forever. What happens in five years when Tipsy is gone and I have another cat, but I've forgotten my password? A variant on this is to ask my favourite pet's name growing up. My parents never had fewer than four animals at any given my point. I'm lucky to remember any of their names, let alone be able to select a favourite. And let's not forget how many people know my pet's name; even Paris Hilton discovered that this was a bad question when her T-Mobile phone was stolen a few years ago and her account was hacked because the attackers knew her dog's name.
  • City of birth -- I always stumble on this one because I'm not sure if I should answer with just the name of the city, or the city and state. A variant on this one is to ask where one of your parents was born. Being a bad daughter, I have no idea which cities first heard my infant parents' cries. I could find out, but will I actually remember when pressed?
  • Favourite [food | film | artist | colour | holiday destination] -- Am I the only person for whom most of these answers change frequently? My favourite musical artist is Paul Kelly today, but several of my other favourites have albums coming out soon, which will make my favourite list re-shuffle again.
  • Street you grew up on -- Families are reasonably mobile. I can name four streets that I grew up on. Which one do I choose? The first? The longest? The last?
  • Phone number you remember from your childhood -- How is anyone supposed to be able to recite some phone number from their childhood? Lots of people are bad with telephone numbers. Other people remember lots of numbers from their childhood (parents, grandparents, multiple homes, ... ).

That's just the usability problems with these questions. That's ignoring that most of these questions aren't really that secure. Any name associated with my parents is a matter of public record, since all of that will be on my birth certificate. Everyone knows my cat's name. Mascots and city names are susceptable to brute force attacks.

I don't claim to have an answer here. I understand why sites want passwords, and I understand why users forget their passwords. I understand why sites want to use secret questions to help authenticate their users. I'm concerned that secret questions solve neither the usability problem of users forgetting their passwords nor the security problem of the institution wanting to protect themselves and their users from fraudulent log-ins.