Masked passwords, security questions, captcha and other unusable security
What’s wrong with online security usability and how to improve it.
I have noticed a widespread trend to blame the human as the weakest link in online security chain and that we should somehow modify human behaviour to resolve security issues.
Here is an example of one of those attempts:
The average person has between 25 and 40 accounts covering everything from banking, utility bills to social networks.
Let’s look at some of the “best practice” recommendations for password security:
- Whenever possible, use eight characters or more.
- Don’t use the same password for everything.
- Change your passwords often.
- Use a long password made up of numbers, letters and symbols, use the entire keyboard.
As a result users have to memorize 25 — 40 uniquely random alphanumeric and special character strings of data on a rotating period of time. Strings like: “k$L0_V1w” which is just 8 characters in length. “Sounds easy,” said no one ever from the 3 billion internet user population.
Security is important, there is no denial. Usability however is essential.
The day we will be able to drop passwords and redefine human-machine interaction is still ahead of us. However there are ways we can make this process less painful now. We shouldn’t loose business because our software solution failed to identify that both parties involved are who they claim to be.
Masked passwords
It has long annoyed me when I can’t see what I type. Showing a row of bullets when user types complex codes is against the basic usability principle – provide visual feedback of system’s status.
How often have you experienced someone creeping over your shoulder when you log into a website? Most of the time it’s just you.
Password masking is particularly painful on mobile devices, where typing is difficult and typos are very common. There is a bigger risk that your phone will be stolen than you will experience shoulder surfing.
Users erase the whole password when they hit only one wrong key.
Password typing in some ways is an automated process. We don’t backtrack if something went wrong, especially if we can’t see where the error might be.
Solution.
- Show passwords in clear text as users type them by default.
- Allow users to judge their context and whether they should hide the password.
Some examples where digital teams have listened to their users.
Mailchimp.com login page.
Samsung SMART TV network settings. In this environment users have to use remote to navigate around. Typing with remote is not very practical by itself and yes, “make sure” no one steals a password in your living room.
Amazon iOS mobile app.
It’s always good to include some safety assurance to increase users confidence e.g. “we have secure servers”, “your data will be decrypted”.
Allowing user to stay “logged in” is also a nice addition and should be considered based on context.
However there are situations where Password or PIN masking is still a preferred option. In public terminals like ATMs for example.
Security questions
Banks have used security questions to authenticate customers since at least the early 20th century. Customer’s birthplace, “residence”, occupation, age and mother’s maiden name was useful as a “strong test of identity”.
In the 2000s, security questions came into widespread use on the Internet as a form of self-service password reset.
We have walked a long way since that time, though real corporations and well known brands still use the same ubiquitous questions.
Due to the nature of social-media, many of the older traditional security questions are no longer useful or secure.
Security question is just another password.
Since they are public facts about a person, they are easier to guess for hackers than passwords. Let’s look at some examples.
What is the farthest from home you have traveled?
Look up on Instagram. #airplanewing and #hotdoglegs pictures with geo-tagging will guide you to the right answer. Foursquare helps.
In what city did you meet your spouse/significant other?
Look up on Facebook relationship status. See where they spend most of their time and give it a try, you will probably succeed.
What was the last name of your third grade teacher?
Look up which school he/she graduated on Facebook or LinkedIn, what year, and find out about the staff from school’s archives. It’s all there, online.
What is the name of the place your wedding reception was held?
You probably both checked in Foursquare and shared images across all social networks. Flickr is a nice wedding photography pool, maps included.
What is your favourite game or sport to play?
Look up on Twitter and read between the lines.
What is your favourite childhood cartoon character?
“Nemo” and “Anna” from Frozen will be trending in year 2035. Now it’s Disney classics, Simpsons, Vinnie Pooh, the list is not that long.
What’s your mother’s maiden name?
Just google it.
Users that recognise the danger, create fake answers to the questions defeating the whole purpose.
Solution.
- Don’t use security questions. DON’T create a weaker channel to bypass the strong password requirements.
- Judge what type of system you are building and choose an alternative security layer that is as strong as your primary authentication method.
Bank or credit card providers could issue some physical token. eCommerce sites could ask about recent transactions and exact amounts. Activation codes sent as an SMS to a previously registered phone number is a better option for telecoms industry.
Captcha
“Completely Automated Public Turing test to tell Computers and Humans Apart” is a test used in computing to determine whether or not the user is human.
CAPTCHA was invented to protect us from bots. There are a lot of evil people out there who create bots for malicious purposes. Bot is a software that runs automated tasks over the Internet. Like crawling robots, bots perform tasks that are both simple and structurally repetitive, at a much higher rate than would be possible for a human alone.
Typical bot usage for malicious purposes:
- Take part in online polls.
- Register for free email accounts and collecting email addresses, which may then be used to send spam.
- Used to buy up good seats for concerts, particularly by ticket brokers who resell the tickets.
- Used in online roleplaying games to farm for resources that would otherwise take significant time or effort to obtain.
- Used to artificially increase views for YouTube videos.
- Used to increase traffic counts on analytics reporting to extract money from advertisers.
Identification procedures are necessary as long as we will have evil people amongst us, that is, for eternity.
Look at these examples and you will see why the whole concept of a Captcha is flawed and should be substituted with something else. Bots that decode Captchas are getting better than us reading them.
For users with disabilities e.g. visual, motor or cognitive impairments asking to complete Captcha is like asking a person in wheelchair to use an escalator.
Solution.
- Explore and create custom traps for bots made specifically to catch them without ever being noticed by human users. The most common example is the hidden form field.
- Otherwise use a solution that tests humanly behaviour. Simple tasks block 99% of bots. Unless you are as big as Facebook or Alibaba, it is unlikely that bot creators will target you specifically, there is no incentive to try and solve it for every case.
Here is one example I created that could have a lot of variations and shouldn’t be more complex than using three shapes plus subtraction and addition within 10.
More “finger friendly” solution that could be used for smartphones instead of Captcha.
If you are running Alibaba, Yahoo or Facebook, then the bot writers will target you heavily and take the time and resources to figure out your traps. It is not an easy battle between engineers, however I would expect more from our wealthy tech-giants. So far we get things like reCaptcha or plain excuses.
Users fail to login — it costs you business.
Users fail to retrieve a password — they abandon you.
Users fail to convince system that they are a human — they leave.
Too long we have followed the legacy of internet security solutions and blamed the end user for poor behaviour. Most of the time those solutions are used only because they have always been there. Finger print scans, voice and facial recognition, heart rhythms as an identification – we will get there eventually.
Fixing usability issues for old security solutions that people use everyday is what matters now.
