Quite often now, when you create an account, you’re supposed to pick a question and enter your answer to it. There are many problems with this.
Single question, the same for everyone
I used to work in an open plan office, where the team next to us would get calls from people needing emergency money (Community care grant). They were taking the people through a script, asking various questions to see why they needed the money, who they were, etc…and suddenly, out of the blue, we would hear:
“What’s the name of your childhood best friend?”
We could only hear one part of the conversation, so I don’t know exactly how the person at the end of the line would react to that, but quite often we were rolling our eyes, thinking this script could do with some improvement(!) Most of the time, they had to explain why they were asking, “it’s for security reasons”.
Later, I saw the associated form, which did explain why they were asking that one question.
But imagine: you’re calling because you need money, you’re probably not doing too well, and suddenly you’re asked for the name of a childhood friend. What if you didn’t have friends? or more than one? what name do you give? the real one? their nickname? full name? first name? Sometime they were asked: can you spell this for me? what if you can’t?
Calling your bank or insurance company, you’re probably familiar with this scenario as soon as you reach someone:
- What’s your account number / policy number?
- What’s your full name?
- Your date of birth?
- First line of your address?
It never feels very secure, anyone with a letter from them could answer this and a birth date would not be hard to get.
Write your own question and answer
I’m helping people in a class to improve their digital skills by using various online forms. Last week, some of them were puzzled by the security question parts:
To register for a council tax online account, you have to enter a question of your choice and the answer to it.
This helps to find something relevant to you I guess which is good, but it’s awkward if you are not used to the process. People didn’t get why they are asked and most of them ended up picking the one suggested “what’s my favourite colour? which is not really secure.
Select a question in a list
Another form we help people with is the Universal Credit one, and during the account creation you need to pick 2 questions from a list:
Quite a few people in the group were a bit unsure what to chose in the second list. Not everyone goes to cinema or on holiday, had a pet or have a car.
And here is ‘the best childhood friend’ again and you are to remember their surname this time.
When the user is a child
When my children applied for the EU Settled status, they had the same security question as adults. As a child you can pick one through:
- In what city or town did your wedding take place?
- What is the first job you ever had?
- What is the name of your partner?
- What is your partner’s mother’s name?
- What make was your first car?
I guess in that list, you can still use the one about the first school or favourite teacher, assuming you had one.
A lot of assumptions in these questions
Not everyone has ‘favourite’ drinks, food, colour, film, song etc… These questions often assume you have a ‘normal life’: a father and a mother, a pet, went to school, had a best friend, own a car, got married … all the stereotypes. This can make you feel uncomfortable each time you have to create an account.
I’m French, so names might have some accents, some dashes. I need to remember if I didn’t bother with the dashes or if I wrote them at the time. My birth place town’s name has ‘Saint’ in it, did I write ‘Saint’ or its abbreviation ‘St’? When the answer is more than one word, can we put spaces between words? they hardly ever explain what you can and can’t fo? I need to get rid of the accents as most systems can’t cope with these. I’m sure many people have similar issues and even extra ones.
It’s often quite funny as well when someone on the phone need to match what they see on their screen and the answer in French I’m giving them. They usually just accept my answer.
I know a few people who just pick any question, any answer and save this somewhere with the password. Not very secure again.
More on Security
I don’t have a solution. But like Catpcha, I’d rather see security question disappear.
On this subject, this talk by Jared spool is really good and worth watching, I really recommend it: Insecure & unintuitive: How we need to fix the UX of security
On the subject of security question, around 50min in the video, there is an example where you have to select 5 security questions and the answers you can give are to be picked in a list…
Who knew that mashed potatoes could be some people’s favourite pizza topping?
If you want to learn more about the classes to improve digital skills I’m involved in, here is the latest blog post I’ve written on this: