Lars Damgaard
strategic user experience designer
April 10th 2013

The horrible user experience of security questions: the future of authentication?

What was the name of you first pet? What is your mother’s maiden name? Where were you born? Who is your favorite author or your favorite historical person? What was the name of your first school teacher?

These are all real examples of questions that users are confronted with when using systems that make use of security questions, allegedly to ensure a higher level of security in web applications. The philosophy behind security questions is to provide the system with a layer of security that only the user who originally wrote the answers to the questions can know about.

Why security questions are such a horrible user experience

Actually, it’s not that safe because it turns out that it’s not that difficult to figure out the answers to such security questions, though the actual questions probably vary a lot in the security they do or do not provide.

However, this post is not about the poor security in security questions: it’s about the poor user experience they provide for end users. Here is why.

Answers are hard to remember

Silly as it may sound, the first problem with security questions is that they are extremely hard to remember. Did I write the full name or just the surname of my favorite author? And did I type the special characters right? Did I write the name of my first cat or my first dog as the name of my first pet? And did I write them in capital letters? And how did I spell the name of my first school teacher? Pretty hard to remember right?

Furthermore, it seems that the underlying assumption of security questions is that the answers to the questions are unambiguous, but as you can see from the simple examples above, they clearly aren’t: there could be a wide range of answers to many of them (though obviously not to all of them) and my guess is that very few users remember their original answers when they need them. At least I didn’t when I needed to answer my favorite author and favorite historical person recently.

The time span between creation and use

The problem of (not) remembering security questions, becomes even more relevant if you take into consideration that the user often types in the answers to the security questions upon first time use (e.g. signups) and then forgets all about them until some day (perhaps years later) when they need them in order to complete this or that action in a web application. Chances are that the user has forgotten all about the answers at this point, because not only are the answers hard to remember because of their complex nature; they are also hard to remember because of their infrequent use. And what’s even worse is that if you forget them, you cannot reset them by yourself, you will usually have to call someone at the company, which means that you are very likely to be stuck with an uncompleted task and a bad user experience.

So what’s the alternative?

The fact that web applications hold more and more information about users emphasizes the relevancy and importance of good authentication. Just read Mat Honan’s story if you are in doubt. However, I am pretty convinced that obtaining security through the use of security questions is not the way to go, neither from a security perspective, nor from a user experience perspective.

Two-factor authentication: something the user knows and something the user has

Instead, the future of authentication is likely to be some variation of two-factor authentication, which is based on the simple assumption of obtaining security by combining something only the real user can know and something only the real user can posses physically (like a keycard or a smartphone), which makes authentication safer and improves the user experience at the same time. Personally, I like the idea of the smartphone more, because it doesn’t force you to carry an extra gadget with you.

Good user experience and good security are often said to be each others enemies, but if silly security questions will be gradually replaced by good two-factor authentication, they are (more) likely to go hand in hand in the future.

Thanks for reading.

Related to what you were just reading
February 24th 2013

Voice controlled interfaces: the end of interaction design as we know it?

Like millions of other people, I was mesmerized by a recent video from Google that shows the technologically impressive Google Glass. However, what puzzled me the most, was not the vast possibilities of the glasses themselves, but rather…

Read more