1.0  Usability principles in security systems

Security and trust are vital principals in building interpersonal and business relationships. These same principles should be employed to both directly and indirectly communicate with users. The following post shows how the construction of password reset challenge questions tell a narrative story of capability and intention as much as supporting text and brand values of the system and service that is secured by them.

2.0  Characteristics of good questions

Correctly structuring and defining the content of password reset challenge questions has a number of characteristics that underwrite a good user experience and establish the environment as high quality, well considered and competently managed technology.

2.1   Cannot be easily guessed or researched

The most important characteristic of a good security question is its own difficulty to discover.  A good security question would have answers that are not easy to guess or deciphered directly or indirectly from what is known or can be researched about the person.

Good security questions meet a number of specific requirements and have high entropy (the number of possible answers) and that the probability of selecting the correct answer is very low.  Only the authorized user is likely to provide the correct answers making a highly secure system.   Answers are even unlikely to be known by a family member, close friend, relative, ex-spouse, or significant other.

Bad examples:

• What is your address?
• What is your phone number?
• What is your mother’s maiden name?

Good examples:

• What was your dream job as a child?
• What is the first name of the boy or girl that you first kissed?

2.2   Doesn’t change over time

One of the most common mistakes in creating reset challenge questions is the use of “favourites” as a concept.  Favourite vacation, teacher, colour, movie, book, animal, song, artist, etc. The list is endless and worthless as people change their minds about these favourites.  Last year my favourite holiday was France; this year it is New York.  Not only does the type change from country to place but the next time I login and have to answer a security question, I can get locked out because I’ve had several favourite holiday locations and activities. For the user the result is frustration, “I answered the question, didn’t I” leaving them feeling foolish and with a perception that the technology and its user is untrustworthy.

Bad examples:

• Where did you go on holiday last year?
• Where do you want to retire?

The answer to a good security question doesn’t change over time.

Good examples:

• What is the middle name of your youngest child?
• What school did you attend when you were 16?

The other problem with favourite or preference types of questions is that people are displaying more information on social network sites like Facebook and Myspace so this type of information enters the public domain.

2.3   Is memorable

The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up an association or reference or having to remember too far back in time.

Bad examples:

• What is your driver’s license number?
• What is your car registration number ?

Good example:

• In what month were you married?

The problem with memorable questions and answers is that they may relate to a social context that not all users have i.e. Married, Brothers/Sisters etc.

2.4   Is definitive or simple

The question should require a specific answer.

Bad example:

• What was your first car?
• Answer: Ford, Escort, Ford Escort, 1972 Ford Escort

The answer can be remembered and entered differently and still be correct for the user but wrong for the system.

Better example:

• What was the make of your first car?
• What was the make and model of your first car?

This is where the use of language and cultural context starts to have a major effect.

2.4   Does not embarrass

When users are presented with questions that offer open text answers they will sometime use language that they would not expect to be questioned about or worse still have a colleague of manager see them enter into a form.  Also very personal questions cause users to negatively view the technology and ‘ask, why would this company want to know that?’

2.5   Security Level

The most important factor to determining the types of challenge questions used is the level of security required and what risks are opened up by the questions being used.

3.0  References

Ariel, R., University of California, Berkeley 2008. Personal knowledge questions for fallback authentication: security questions in the era of Facebook, SOUPS ’08: Proceedings of the 4th symposium on Usable privacy and security.  Available through:  ACM Digital Library [Accessed 26 October 2010].

Florencio, D., Herley, H., Microsoft Research. 2007. A large-scale study of web password habits, WWW ’07: Proceedings of the 16th international conference on World Wide Web. Available through:  ACM Digital Library [Accessed 26 October 2010].

Just,M., Aspinall , D., University of Edinburgh. 2009. Personal choice and challenge questions: a security and usability assessment, SOUPS ’09: Proceedings of the 5th Symposium on Usable Privacy and Security.  Available through:  ACM Digital Library [Accessed 26 October 2010].

Mohammad, M., Van Oorschot, P. C., Carleton University Ottawa. 2008. Security and usability: the gap in real-world online banking,  NSPW ’07: Proceedings of the 2007 Workshop on New Security Paradigms. Available through:  ACM Digital Library [Accessed 26 October 2010].

Note: A longer version is in process and this post will be updated soon.

Author Links

• linkedin: profile
• references: business
• twitter: userexperienceu
• speaking: UCD2012