The UX of security questions
There’s something about public transit systems that creates a never-ending source of drama in city-dwellers’ lives. Whether it’s the London Tube, the Paris Metro, or New York’s MTA, anywhere you go you’ll find commuters frothing over service, cost, reach, or a host of other transit-focused issues.
Toronto’s no exception. Our TTC generates its share of angsty tweets (see #prestofail and #prestosucks) and Facebook rants, but it reached a new level this past year as they expanded the reach of their card-based payment system, Presto. The system has been plagued by issues, giving giving Torontonians ample opportunity to get their hate on.
What does this have to do with UX?
While Presto’s issues offer about a million opportunities for case studies on service design — or how not to do it — there are also a lot of specific examples of user experience interactions that could be better. This week I encountered one in particular that got me thinking hard about best practices, and sketching alternatives.
The background story: I lost my Presto card on my way home but retraced my steps as soon as I realized it was gone. I found myself at a nearby convenience store where someone had turned in a Presto card that might be mine...but was it? It was unsigned (mea culpa), so the only way to verify was to pull out my phone, go to Presto’s website, sign in to my account, and quickly check to see if my card number there matched the one at the store.
No problem, except it immediately became a problem. The Presto website signed me in but then blocked me from proceeding until I set up security questions for my account. No way to skip and do this later. And the process itself was…poor. Let's look at this experience and how it could improve.
Problem the first: Primary task disruption. Presto interrupted my intended task with its own time-consuming task. This meant that a quick account check that should have taken 30 seconds ended up taking close to 10 minutes. That was 10 minutes of intense frustration.
Problem the second: Timing. While account security is definitely important, Presto chose a very inopportune moment to pursue it. Transit interactions are more likely than average to be time-sensitive. (“Quick, I need to add money to my account!” or “Quick, give me the schedule for the next bus!”) Mobile interactions are also more likely to be time-sensitive because the user is often, well, mobile. They’re on the move with less time and less attention to offer an interaction than someone sitting at a computer.
Let’s drive this home: Lack of time and attention are two things you never, ever want to combine with security features. Don't rush security tasks.
When setting up account security you want your user’s full attention. You want them to be able to seriously consider the information they’re setting up, have time to double-check it, and have enough available attention to recall the interaction later.
Third problem: Poor question choice. Given I had no choice but to continue I persevered and set up my security questions. Once into the process more problems came to light. Account security questions are pretty standard but I’m often surprised by some of the choices.
“What is your favourite movie?” “What is your favourite sports team?” “What is your favourite pet’s name?”
Now Presto is not the only company to use questions like these so I’m not just wagging my finger at them — a lot of organizations get themselves into trouble by allowing inappropriate security answers.
Why are they inappropriate? Because your favourite anything can change. Today my favourite movie might be Indiana Jones but a year from now it might be the next Marvel movie. Answers that can change over a year are not good choices for security answers.
This got me thinking (afterwards) about better options and I realized just how tricky these can be. Questions need to have long-term, reliable answers but they also need to have a set of potentially infinite answers so that hackers can’t guess your response. For example, this means questions like “What colour are your mother’s eyes?” would be a poor choice, because there are only so many eye colours and a hacker could just run through the limited set of possibilities to fake their way in.
Answers also need to be easy to spell accurately and consistently, and they need to be easy to remember.
Those are just the criteria I came up with, and some curious googling turned up an even better list that specifies Safe, Stable, Memorable, Simple, and Many.
Of the 10 options Presto gave me during this process, five involved favourites. That reduced my good options to five, two of which had a serious risk of me spelling my answer incorrectly. And of the remaining three, one ran me into the last of the big issues…
Problem four: Poor error prevention & messaging.
So of 10 options, only three of the Presto security questions looked viable for me. I dutifully tried to set up those three and hit another snag. Presto obscured my answers as I typed, which is certainly more secure but also created a problem. What if I mistyped? How could I be sure I’d entered my answers correctly?
Typing on a phone is challenging at best — it’s easy to hit the wrong letter even if you’re paying full attention. Obscuring my answer as I typed meant I couldn’t verify that what I was typing was in fact correct. And if there was a typo? That spelled t-r-o-u-b-l-e down the line in the threat of failed security checks. Most companies offer a show/hide option on fields like this, but Presto didn’t.
What’s more, their error messaging as I filled in answers proved less than helpful:
I typed a 9 character answer and got an error warning me to keep my response under 50 characters. Say what? There was obviously an issue with my answer, but it was up to me to debug it, and because I couldn't see what I'd typed I had to troubleshoot blind. Double fail.
Improving the experience
End to end, this experience was filled with frustration. But I grew up hearing “If you can’t do better, don’t criticize” and that’s both a pretty great idea and a great design challenge. Faced with a flawed user experience, how would *I* improve this interaction?
Avoid disrupting time-sensitive tasks.
Given that mobile and transit users are more likely to be in a hurry, I’d build in a way to skip the security setup process anywhere between one and three times. This lets user continue on to complete a time-sensitive task but gives them the heads-up that there's something they need to do for their account when they have more time.
It might also be good to look at the TTC’s data around mobile versus desktop use — would it be possible to implement the security process only for desktop users, who have more time, attention, and resources to complete the task properly?
Account security really is important so there’s value in telling users why they're being asked to set up these questions, so that they’ll care more and be more willing to take the time. Tasks that users see as being personally valuable will encourage more engagement and positive reaction than something they perceive as an annoying interruption.
Prevent long term security failures by providing better security questions.
Offer questions that have fixed answers that won’t change over time. Questions that:
Can’t be guessed easily
Are easy to remember and accurately spell
Have answers that won’t change over time
Help users identify and correct errors easily.
Personally I would default to showing text as users type, to help eliminate typos and other errors. Adding a Show/Hide option could enable text obfuscation for anyone concerned about people seeing their answers.
Here’s how that might look…
When a time-sensitive 30-second task turns into a 10 minute wrestling match with your product, that's a UX issue. I eventually made it through Presto's account security flow and accomplished my original goal, but I emerged feeling like I'd fought a hard battle. Even a critical interaction shouldn't be that hard. In fact critical interactions should be as frictionless and easy as possible specifically because they're critical.
Creating account security questions is a pretty common interaction, and one with potentially serious consequences if handled poorly. It's well worth the time and testing to make this type of experience as painless and error-free as humanly possible. Even a few small UX tweaks can make the process much easier.
Have other tips or tricks for helping users through account security setup? Please share!