The UX of security questions
There’s something about public transit systems that creates a never-ending source of drama in city-dwellers’ lives. Whether it’s the London Tube, the Paris Metro, or New York’s MTA, anywhere you go you’ll find commuters frothing over service, cost, reach, or a host of other transit-focused issues.
Toronto’s no exception. Our TTC generates its share of angsty tweets (see #prestofail and #prestosucks) and Facebook rants, but it reached a new level this past year as they expanded the reach of their card-based payment system, Presto. The system has been plagued by issues, giving giving Torontonians ample opportunity to get their hate on.
What does this have to do with UX? Simply put, the system offers some great examples of user experiences that could be better. What’s bad for commuters is actually good for UX designers and product creators, because these examples give us an opportunity to learn from others without committing the same mistakes ourselves.
Let’s look at a perfect example. Last month I lost my Presto card on my way home. When I realized this I retraced my steps immediately, and soon found myself at a nearby convenience store. Luck looked to be with me: Someone had turned in a Presto card that might be mine…but was it? It was unsigned (mea culpa), so the only way to verify was to pull out my phone, go to Presto’s website, sign in to my account, and quickly check to see if my card number there matched the one at the store.
No problem, except it immediately became a problem. The Presto website signed me in but then blocked me from proceeding until I set up security questions for my account. There was no way to skip and do it later, and the process itself was decidedly poor. Let’s look at the experience and how it could be improved.
Issue round-up
Problem one: Primary task disruption
I was on a mission when I landed on the Presto site, and it was fairly time-sensitive. Presto interrupted this intended task with its own time-consuming task. A quick account check that should have taken 30 seconds ended up taking close to 10 minutes. Fail.
Problem two: Timing
While ensuring account security is definitely important, Presto chose a very inopportune moment to pursue it. Transit interactions are more likely than average to be time-sensitive. They tend to be things like “Quick, I need to add money to my account!” or “Quick, give me the schedule for the next bus!” Mobile interactions are even more likely to be time-sensitive because the user is often, well, mobile. They’re on the move with less time and less attention to offer an interaction than someone sitting at a computer.
Here’s the thing: Lack of time and attention are two things you never, ever want to combine with security features. Don’t rush security tasks.
When setting up account security you want your user’s full attention. You want them to be able to seriously consider the information they’re setting up, have time to double-check it, and have enough available attention to recall the interaction later. Presto’s timing was poor — they not only hijacked my primary task, they did it at a time when I was using a tiny screen, distracted, with little attention to spare.
Problem three: Poor question choice
Since I was standing in a store and needed to verify my card information stat, I had no choice but to let Presto make me set up some security questions. How hard can it be to choose three questions, right?
Sadly this proved surprisingly hard.
Presto’s account security questions were pretty standard but that doesn’t mean they were good. For example:
“What is your favourite movie?”
“What is your favourite sports team?”
“What is your favourite pet’s name?”
Presto is definitely not the only company to use questions like these — a lot of organizations use them, and unknowingly create issues for themselves in the future.
What’s the problem? These types of questions have answers that can change over time. Your favourite anything can change. Today my favourite movie might be Indiana Jones but a year from now it might be the next Marvel movie. Answers that can change over a few months or a year are not good choices for security answers.
This got me thinking afterwards about better options and I realized just how tricky these questions can be. They need to have long-term, reliable answers but they also need to have a set of potentially infinite answers so that hackers can’t guess your response. For example this means questions like “What colour are your mother’s eyes?” would be a poor choice, because there are only so many eye colours and a hacker could easily run through the limited set of possibilities to find the right answer.
Answers also need to be easy to spell accurately (and consistently), and they need to be easy to remember.
Those are just the criteria I came up with, and some curious googling turned up an even better list that specifies Safe, Stable, Memorable, Simple, and Many.
Of the 10 options Presto gave me for security questions, five involved favourites. That reduced my good options to the remaining five, two of which involved a serious risk of me spelling my answer incorrectly. And of the remaining three, one ran me into the last of the big issues…
Problem four: Poor error prevention & messaging
So of 10 security questions, only three of the options looked viable for me. I dutifully tried to set up those three and hit another snag. Presto obscured my answers as I typed, which is certainly more secure but also created a problem. What if I mistyped? How could I be sure I’d entered my answers correctly?
Typing on a phone is challenging at best — it’s easy to hit the wrong letter even if you’re paying full attention. Obscuring my answer as I typed meant I couldn’t verify that what I was typing was in fact correct. And if there was a typo? That spells t-r-o-u-b-l-e down the line in the form of failed security checks. Most companies offer a show/hide option on fields like this, but Presto didn’t.
What’s more, their error messaging as I filled in answers proved less than helpful:
I typed a 9 character answer and got an error warning me to keep my response under 50 characters. Say what? There was obviously an issue with my answer, but it was up to me to debug it, and because I couldn’t see what I’d typed I had to troubleshoot blind. Double fail.
Improving the experience
End to end, this experience was filled with frustration, but I grew up hearing “If you can’t do better, don’t criticize” and that’s both a pretty great idea and a great design challenge. Faced with a flawed user experience, how would I improve this interaction?
Avoid disrupting time-sensitive tasks
Given that mobile and transit users are more likely to be in a hurry, I’d build in a way to skip the security setup process at least once and perhaps as many as three times. This lets users complete time-sensitive tasks but gives them a heads-up that there’s something they need to do for their account when they have more time.
It might also be good to look at the TTC’s data around mobile versus desktop use — would it be possible to implement the security process only for desktop users, who have more time, attention, and resources to complete the task properly?
Create motivation
Account security really is important so there’s value in telling users why they’re being asked to set up these questions so that they’ll care more and be more willing to take the time. Tasks that users see as being personally valuable will encourage more engagement and positive reaction than something they perceive as an annoying interruption.
Prevent long term security failures by providing better security questions
Offer questions that have fixed answers that won’t change over time. Questions that:
- Can’t be guessed easily
- Are easy to remember and accurately spell
- Have answers that won’t change over time
Help users identify and correct errors easily
Personally I would default to showing text as users type, to help eliminate typos and other errors. Adding a Show/Hide option could enable text obfuscation for anyone concerned about people seeing their answers.
Here’s how that might look…
Recap
When a time-sensitive 30-second task turns into a 10 minute wrestling match with your product, that’s a UX issue. I eventually made it through Presto’s account security flow and accomplished my original goal, but I emerged feeling like I’d fought a hard battle. Even a critical interaction shouldn’t be that hard. In fact critical interactions should be as frictionless and easy as possible specifically because they’re critical.
Creating account security questions is a pretty common interaction, and one with potentially serious consequences if handled poorly. It’s well worth the time and testing to make this type of experience as painless and error-free as humanly possible. Even a few small UX tweaks can make the process much easier.
Have other tips or tricks for helping users through account security setup? Please share!
