Are Security Questions a Joke? Or is the way the Systems are Designed the Real Joke?

Security questions

Security questions (Photo credit: janetmck)

I read a great article the other day on the threat posed by the use of password security questions as a Computer security issue.

I too have been quite amused by the poorly designed questions which purport to help you if you forget your login information for a site.  Frank Voisin suggests a few ideas to make them more applicable.

However, the second item jarred with me – Applicable: the question should be possible to answer for as large a portion of users as possible (ideally, universal).

Why?

I would have thought that the primary (and only) function was to have something which was individual to the person involved.

Now I’m only a human factors scientist, but my training suggests that we ask the individual to design their own questions.  Sure, give them some advice and make the process as intuitive as possible, but give them the ability to make it as individual as they like – surely that‘s the whole point!  After all, this information is only kept in a secure database to be accessed as needs permit.

Is it more that the systems designer was trying to make his or her job easier?  Sort of fitting the human to the system rather than designing it to the individual’s explicit needs?  Did this save them a few lines of code?

Obviously some human science input into this area is sorely needed.  This raises the question of whether someone who is a computer scientist first and has cross-trained into the human interface is the best person for this role, or someone with a psychology or social science background.
My suggestion is that in this case, you really need some cross disciplinary interaction to arrive at an optimal solution.

Advertisements

One Response to Are Security Questions a Joke? Or is the way the Systems are Designed the Real Joke?

  1. Tony says:

    XKCD famously pointed out the problem here: passwords are easy for computers to guess, and hard for humans to remember. Pass phrases are much better.

    Human identification gets interesting too!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: