Image for post
Image for post

Challenge Questions Must Die

There are better ways to manage two-factor authentication than this unusable scourge.

Stratton Cherouny
Jan 28 · 4 min read

Those who’ve had the pleasure of working in close proximity to me have seen and heard it a thousand times: a deeply furrowed brow; a quick curse uttered not-so-quietly beneath my breath; a rhetorical question posed to the universe—my goto being “who the f*ck would do that???” All are hallmarks of the onset of a troubled software rant, for which I have become mildly famous in the halls of OX.

Today’s rant is about the use of challenge questions like those pictured below as a means of performing two-factor authentication (2FA), which is a fancy term for proving you are who you say you are when logging into a website or digital service.

Image for post
Image for post
A typical range of challenge questions

What’s wrong with this picture?

Quite a lot. Let’s start with usability. First, the questions have to be relevant to the user. Take the very first option in the list above: “What sports team would I like to see lose?” If you’re like me and don’t watch many professional team sports, you’d be hard-pressed to name which team you’d like to see lose the most. Second, the answer to that question is likely to change between now and potentially three or four years from now when you’re asked to provide the correct answer to this question again. Third, there may be several correct answers to the question that could be returned as incorrect. For example, Chicago, Chicago Bears, Bears, and The Bears could all be incorrect correct answers.

Next, let’s look at these from a security perspective. While some challenge questions may be relatively benign and carry little personally identifiable information, others may be quite sensitive. Your mother’s maiden name, for example, is often one of the questions asked by financial institutions. If ever there was a security breach and the answer to that question wasn’t adequately encrypted, you will have just left a vital piece of personal information exposed to the dark web.

There is a better way

The good news is there are some really great 2FA alternatives out there. Among the most widely used is the SMS security code, now a virtually ubiquitous form of 2FA used in financial services. Sure, just because you have a person’s phone doesn’t necessarily mean you are that person. But the odds are pretty high. And the fact that you also have to make it past the phone’s lock code only increases those odds.

Authenticator for LastPass

Even better are a host of third-party mobile 2FA apps rising up in the ranks. Authenticator for LastPass is one of my favorites, and seamlessly addresses many of the aforementioned issues.

Authenticator, and similar apps like it, works a lot like the old RSA Secure ID tokenized keychain fobs of yore that were common to high-security interfaces like banking.

Unlike the hardware-based approach taken by the likes of RSA many moons ago, today’s approach is entirely software-based. The Authenticator app generates a random code every 30 seconds for each account you set up. When prompted by the site you’re trying to log into, you enter the code that currently appears in the Authenticator app. A secure digital handshake between the two services confirms the validity of the code and there you have it—2FA achieved.

Even better, Authenticator can use FaceID and verify that the user trying to access the app is actually the right user, thereby upping the ante from 2FA to 3FA. That, in turn, accounts for the unlikely use case that an unauthorized user has gained access to your phone.

It’s early days for services like Authenticator and adoption is not yet nearly as wide as SMS.

But we’re confident they will take hold quickly, especially when they become more tightly bound with password management systems already in use. Yes, it’s a bit of a nuisance that you have to have your phone with you in order to complete a log-in to a site you use frequently, but aren’t we already strapped to them 24/7?

We get it. Time is often tight and resources scant. Something as seemingly minute as your approach to 2FA doesn’t always take center stage when there are so many other battles to fight.

Yet, design is a process of choices made—consciously or not. And customer experience, like a customer’s understanding of brand, is a stack effect; it adds up over time, often the result of a series of seemingly inconsequential moments exactly like this. A little extra attention paid to them can pay great dividends in the long run.

Better By __

At The Office of Experience, we believe the experience is…

Stratton Cherouny

Written by

Founder of The Office of Experience, a design and digital innovation firm headquartered in Chicago.

Better By __

At The Office of Experience, we believe the experience is the brand®. The best brand experiences are better by design. But they’re also better by strategy, technology, and message. Better By explores the ways in which the world around us is made better by design.

Stratton Cherouny

Written by

Founder of The Office of Experience, a design and digital innovation firm headquartered in Chicago.

Better By __

At The Office of Experience, we believe the experience is the brand®. The best brand experiences are better by design. But they’re also better by strategy, technology, and message. Better By explores the ways in which the world around us is made better by design.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store