Security vs. usability
It seems like everyone is trying to make their web site more secure these days. The “image seal” has become more popular (asking you to select an image that displays on the login page so that you know it’s the actual web site and not a phishing site), now being used on several high-traffic sites such as Yahoo! and Bank of America. But sometimes sites go way too far in the name of security, making it into a hassle for the user.
I logged in yesterday to check my CitiBank credit card statement and was asked to select three security questions before I could proceed. Fine, I thought, I’ve done this before. I had to select three questions from dropdown boxes…nothing new. However, the questions contained in the dropdown boxes were ridiculous. A number of them related to a spouse (i.e. what’s your spouse’s nickname?). I don’t have a spouse, so automatically I’m limited. Next, there were the childhood questions (what was your childhood pet’s name?), most of which didn’t apply to me either. Okay, what city were you born in? Got that. One question down, two to go. Next dropdown…more of the same. Found one, what’s your oldest sibling’s name? Sweet, I have only one sibling, so that’s easy. Two questions down. The third dropdown has even more strange questions. It literally took me fifteen minutes, going back and forth, trying to figure out which questions to select. Several times I considered just canceling the whole process because of my frustration. Finally, I selected all three questions and was let in.
I don’t understand why security questions have to be so strange. Why can’t I just fill in my own question as well as the answer? The important part is to match up the question and the answer, not the content of the question. I really hate when sites force you to do things that are really inconvenient for the sake of security. The system we use at work for payroll has such stringent password requirements that I can’t remember the password…every time I go to check something, I have to click “Forgot your password?”
There has to be some logical balance between being secure and being usable. When things aren’t easy to use, when you can’t remember your own security questions, or when you’re forced into a security paradigm you’re not comfortable with, it doesn’t help the user to be more secure. In fact, I’d venture to say it helps users consider alternate services that are easier to use.
Disclaimer: Any viewpoints and opinions expressed in this article are those of Nicholas C. Zakas and do not, in any way, reflect those of my employer, my colleagues, Wrox Publishing, O'Reilly Publishing, or anyone else. I speak only for myself, not for them.