I just finished paying some bills online, but before I could do it, I had to go through a rigorous new security setup with my online bill pay. I had to choose an image (which doesn’t work so well in FF for Mac), name the image, and choose five security questions and answers. It seems to me as though the planning for this new level of security didn’t include any user experience research.

My husband and I both use our online banking site and I doubt we’re unusual in this. But how is he supposed to remember the make of my first car (he didn’t know me then) or my favorite teacher? Luckily four of the five questions were things we would both know, but I had to pick a personal one for the fifth, and just tell him the answer.

Next I used two of my new nifty questions and answers to log in. I’m assuming that they’ll rotate with every log in. I can see all kinds of problems here. One of the answers has a hyphen in it. What if I forget to put it? Will I be able to log in? What if we move (since this question is geographically specific)? Can I change it? A favorite thing of mine has a weird spelling. What if my husband misspells it? What if our pet dies? The security questions are fraught with issues, especially because they involve the input of free text. Seems like these work a lot better on the phone.

This reminds me of a bank application problem someone described to me once. You get three tries to log in before you are “blocked out.” But someone isn’t careful with the implementation, and three erroneous tries over a period of several months leave you blocked with not much understanding of why. Ugh, bad planning!

I’m all for security but it has lots of gotchas. When I see people’s printouts of their passwords taped to their desks, I know something could have been done a little better. Maybe I should just tape a printout of our security questions and answers to the fridge, so we don’t mess up.

UPDATE:

Well, I knew it. On his first login, my husband got us locked out of the account. First, I couldn’t remember if my favorite animal was a dog or a black lab. Then he got the location of our rehearsal dinner wrong! (I do understand…could the answer be the hotel? Or the city? Or the state?). So I call the help desk, and this nice lady informs me that no, I can’t change the settings…this is all very important to keep people who want to phish my account out (no matter that I can’t get in). Then she says, “why don’t you just print the questions and answers?” Oh right, because that is so secure! Geez. :)

This entry was posted on Sunday, August 10th, 2008 at 3:11 pm and is filed under Usability. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.