Security vs. usability
It seems like everyone is trying to make their web site more secure these days. The “image seal” has become more popular (asking you to select an image that displays on the login page so that you know it’s the actual web site and not a phishing site), now being used on several high-traffic sites such as Yahoo! and Bank of America. But sometimes sites go way too far in the name of security, making it into a hassle for the user.
I logged in yesterday to check my CitiBank credit card statement and was asked to select three security questions before I could proceed. Fine, I thought, I’ve done this before. I had to select three questions from dropdown boxes…nothing new. However, the questions contained in the dropdown boxes were ridiculous. A number of them related to a spouse (i.e. what’s your spouse’s nickname?). I don’t have a spouse, so automatically I’m limited. Next, there were the childhood questions (what was your childhood pet’s name?), most of which didn’t apply to me either. Okay, what city were you born in? Got that. One question down, two to go. Next dropdown…more of the same. Found one, what’s your oldest sibling’s name? Sweet, I have only one sibling, so that’s easy. Two questions down. The third dropdown has even more strange questions. It literally took me fifteen minutes, going back and forth, trying to figure out which questions to select. Several times I considered just canceling the whole process because of my frustration. Finally, I selected all three questions and was let in.
I don’t understand why security questions have to be so strange. Why can’t I just fill in my own question as well as the answer? The important part is to match up the question and the answer, not the content of the question. I really hate when sites force you to do things that are really inconvenient for the sake of security. The system we use at work for payroll has such stringent password requirements that I can’t remember the password…every time I go to check something, I have to click “Forgot your password?”
There has to be some logical balance between being secure and being usable. When things aren’t easy to use, when you can’t remember your own security questions, or when you’re forced into a security paradigm you’re not comfortable with, it doesn’t help the user to be more secure. In fact, I’d venture to say it helps users consider alternate services that are easier to use.
Disclaimer: Any viewpoints and opinions expressed in this article are those of Nicholas C. Zakas and do not, in any way, reflect those of my employer, my colleagues, Wrox Publishing, O'Reilly Publishing, or anyone else. I speak only for myself, not for them.
Both comments and pings are currently closed.
4 Comments
Hey, I’d say your first problem is using citibank’s website. That thing is a mess!
But I agree completely with you. Sometimes security "features" actually make things less secure. When a user can’t create a password they’ll remember, they end up writing it down on a piece of paper and leaving it on the desk for anyone to see.
I never liked security questions anyway, it’s not like someone couldn’t figure out the name of your oldest sibling.
Kevin on January 19th, 2007 at 3:13 pm
I actually had a conversation similar to this yesterday. I was talking to a friend of mine and she said at work she has access to 6 different internal systems. Each one has a different login and each of them want her to consistantly change her password. She even had one system that complains if the new password is too similar to the old one.
Her solution to keeping track of all that? She keeps an index card in her desk drawer with all her user names and passwords. Somehow I don’t think that was the goal of the security people.
david_kw on January 19th, 2007 at 7:19 pm
I think a good solution could be a browser-based technology that browser makers can implement. However, it’s easier said than done
After all that’s why (not even MS) could get their single-id standard used…
Michael on January 19th, 2007 at 8:51 pm
I always thought it would be funny, since the security questions on email/banks/etc sound like myspace and email surveys, if someone were to put together a survey with those questions and send it out to their friends, just to see who would answer. I think I might just put that together and let people know it’s a joke afterwards, but still see who answers.
Billy on December 26th, 2007 at 9:24 pm
Comments are automatically closed after 14 days.