To survive the day to day dangers of using the Internet I use a range of passwords, user names, and email addresses, all created to make my online world more secure. And, like most people we observe in user testing, am pretty used to having to answer or create a security question when registering on websites.
But this one caused me quite a while of hesitation…
Can you see why?
Why do security questions cause such a usability problem?
I was applying for tickets to the 2012 London Olympics (above), and I was offered three security questions. I provide these below with an explanation of why I was unsure what to do:
What is your best friend’s name?
This caused me a few concerns. Firstly, I consider myself to be pretty even to my close friends and don’t regard any of them as a ‘best friend’. Secondly, I would actually feel guilty if I had to choose one over others. Thirdly, I wouldn’t remember which friend I chose when I come back to the site in January to get my tickets. Maybe I should have chosen my wife!
Who is your favourite sportsperson?
I’m 34. I like football. When there is no football, I follow a bit of tennis, some athletics when it is on, and the odd game of rugby. I don’t have a favourite sportsperson. If I had to choose one now, how would I remember this in five months time when I return to the site?
What is your favourite food?
I’m a bit of a foody. I dabble in cooking but am lost without Jamie Oliver. So I like lots of food. Asking for my favourite food is like asking for my favourite song, or movie. It completely depends on how I’m feeling. So when I’m asked this question in August, I’m feeling summer food; barbeques, Mediterranean, crazy salads, summer fruits. When I’m asked in January it will be comfort food, hearty food, soups and pies.
So the common issue I had with all these questions was that I simply could not answer any of them with confidence. I had a discussion with my wife. I pondered. I questioned. In the end I just had to jump in a choose one with the expectation that I’ll struggle with this next time I come to use the site. What kind of user experience is that?
What makes a good security question?
The reason for these security questions is to back up who you are should you forget your other security details (username, passwords, etc.) and testing often proves inconclusive in finding the ultimate security question, especially if your audience is international.
When asking a security question, the question and answer should be:-
- Easy for an individual to answer confidently
- Not obvious enough for hackers to guess or research
- Not subjective, open to interpretation, or reliant on mood and feeling
- There can clearly be only one answer
Yahoo! attempt and tackle this with a range of options for users to choose. As long as you’re not a young and single only child to a single mum who has no siblings! Which just shows how difficult a problem this is!
The commonality with good security questions that we come across are those asking for firsts; your first pet’s name, your first school, your first musical instrument. But like any security question we can come up with, there will be a percentage of users who can’t answer it.
In some cases, users are able to write their own question and answer. However, this poses an issue for websites that need good security because users may choose an easy question (for someone else to guess), i.e. Who won the World Cup in 2010?
How do we instil good usability and incorporate a security question?
I’m no expert in online security, but we use PIN numbers for our bank and credit cards, so could this system be added to secure websites?
If we must use security questions, allow users to have some control but ensure the answers are not easy. Ask users to complete a question, and provide an answer. For example:
This would require usability testing in contex before it was used. But it may help to make the process easier for users to create a more secure secret question.
We would be very keen to hear how other people have resolved this issue. What good and bad examples of security questions have you come across?
About Ali Carmichael
Ali (or Alasdair) is an experienced project manager who loves his Gantt charts and milestones! He has over 12 years' experience managing successful online experiences for world class brands. Ali is responsible for ensuring our clients love what we do for them. Follow Ali on twitter @AliJCarmichael