LastPass Application Security Questions Features redesign concept — UX case study

Published in

UX Station

6 min readJan 6, 2019

Introduction

Security question (password reset questions) is a form of shared secret used as an authenticator, there are multiple personal questions require the user to provide. It is commonly used by the bank, Cable services as extra identity verification. It is very important to remember the security question because it is your second password.

However, I had experienced set up hard Security answer and couldn’t recall, also errors in capitalization will cause the wrong answer error message. We all had experiences when we can’t get pass security question and end up struggling with customer support. I found many people complain about the same issue, so I decide to do some research about it.

Serious security problem

“90% of all security questions can be figured out if someone knows your Facebook.”

Google has published research showing that security questions aren’t that secure at all.

Google reports that “a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers” to a question about their favorite food. If you’re from South Korea, a hacker would get your birthplace 39% of the time with just ten guesses.

· Easy answers aren’t secure

· Difficult answers aren’t usable

Yes, security questions are also stupid, I was surprised by how much people hate security questions. There is a saying that you lose a lot of time hating security questions (yes, I said that…). Let’s stop hating because it began to disappear.

Nowadays, sites like Google are using SMS-based reset codes, alternate email address and other methods that Hacker can’t crack with a good guess. How about the existing sites with security question, how to choose secure answers to avoid frustration?

Understanding users

Based on my experience and issue that I had encountered, I decided to ask the question to other users to make sure I am designing to solve their problem. I have listed the below questions.

· How is your experience with security question?

· How do you remember your security question answer?

· How long do you spent on answer the question?

· Do you think your answers are secure enough?

User painpoints

01.“I put the real answer……”

A large percentage of people use the real answer and have no idea it’s not safe.

02.“I was in a hurry and entered dsfsdfsf for security questions, I forget to save those answer and I am not able to log in to my account.”

It’s a long process to sign up for some websites, users running out of patience and insert some random text for the security question. (honestly, this is users’ fault.)

03.“ my memory sucks, I have to write it down the answers in my notes”

Users had a security question asking the favorite band or singer which is impossible for him to remember because his personal music preference keeps changing. However, writing down the answers is not good user experience.

04.“I remember my answer, but because of capitalization errors I ended up speaking to customer services”

user was pretty confident with his answers, but the wrong answer error message is driving him crazy.

05.“I was having a hard time to set up unique and secure answers for my bank account” .

It is hard to come up with a secure and unique answer for each security question, also it’s taking a lot of time.

06.“I feel my answers are easy to guess”

The question itself is stupid and the answers are either generic answers or searchable answers. Exactly, some security questions are stupid like “what is your first pet?”, it’s a lot easier for someone to figure out these answers than complicated password

07.“ password manager app is great for password not security questions answers”

Yes, how about the password manager? Password manager app provides notes section where users can keep track the answers. But that is just not their job.

08.“ sometimes I reuse my answer for multiple sites..”

Users reuse their password on the different website, no wonder they practice the same way as the security question.

Conclusion:

Users want their answers are secure and able to be stored.

What features we need ?

· User wants to save their security answer.

· Generate a strong and unique answer.

Password manager app

Password manager securely stores your passwords and personal information in a secure vault. As you visit apps and sites, Password manager autofill your login credentials. Also, the password manager can generate a strong new password for your account.

Since security question answers are as important as passwords, why don’t we add the features above into existing password manager .

LastPass application

This application might be the most popular password manager because of the rich set of features, even the free edition gets many cloud-based services. Now let’s see how we can implement the idea.

Ideate

Sketches

Add security questions section in site details screen

UX Concept: Create “credentials” and “security questions” separate sections.

So why we need a separate section for “security questions”？

· It is frustrating for the user to keeping track the password and answers in one screen.

· Sites have more than 5 security questions which mean 5 more answers fields, sometimes too many fields can be overwhelming.

· It is easier for the user to understand and read information because generate password and generate answers might be confusing.

Wireframe

After A/B testing, I decided to land on no.1 because it is consistent with the other fields design.

· Credentials section keep the original fields and structure.

· Security questions section provides user to add or delete answer filed.

· User can use generate new answer function to create a secure answer.

I have considered below scenarios in the user flow.

01. User selects one question and then use LastPass to enter his answer manually.

02. User selects one question and then use LastPass to auto-generate his answer.

03. User selects multiple questions and then use LastPass to enter his answer manually.

04. User selects multiple questions and then use LastPass to auto-generate multiple answers.

How is generate new answer functionality work?

My idea is to treat security answers like passwords.

This functionality is same as Generate Password, system allows users to modify the requirement for the generated answer. The only difference is user can generate multiple security answer.

Ideate

Sketch

Chosen idea: 04. Text box field displays the generated answers, user is able to edit and regenerate directly in the text field.

Among four ideations, I decide to proceed with the 4th idea, because it had applied the Fitts’s law in graphical display. The text field is located in user’s natural area, it is easy for user to navigate and interact with the object.