[Sigia-l] secret question & answer

ashk at ashk.org ashk at ashk.org
Thu Feb 5 21:31:12 EST 2004 

This is probably a late response to your question. Still here it is for what
it is worth:

I have seen the 'create your question and answer' option throw up really
interesting results in iterative testing cycles. In the end I have been
driven to the conclusion that the result is not worth the trouble and is
inherently fraught with security issues.

If you do get the users to understand the intent there is no guarantee that
they will create 'unique-answer' questions (in fact, some users entered 'the
color of the sky?' or 'how do you spell cat?' as the question; some used
'best friend's name?' etc. only to say that they would probably forget the
answer and/or use trial and error).

That said, I have personally used the options that my bank gave me (3
successive Q-A's) to reset my password (thereby saving them the cost of a
call); I can't say they are totally without merit. I have also noticed that
many times the utility (or efficiency) of this mechanism is reduced due to
poor interaction design.

The following interaction tricks have had some success in the past:
1. Separate profile creation from the Q-A creation by keeping them on
separate pages. The cognitive load of creating 'unique' responses trips
people up; especially when they are entering their ID-password and possibly
other personal info.
2. Try to follow a wizard like interface and create the 'sets' one by one.
3. Make the process optional but explain the consequences (e.g. 1-3 business
days to reset by calling 800 number; might not be an option in some cases)
4. Nothing frightens users more than an empty field. Prepopulate the
create-your-own question field with the closest example of a unique question
('mother's maiden name?').
5. Provide extra messaging (1-2 succinct lines) and examples (again
unique-answer types) next to the question field. (Yes, they will copy and
paste!). Also look to provide fewer options around the fields (more white
space)
6. Try to bolster the security of the retrieval by some numeric query (last
four of the social, month and year of birth etc.)

I have recently seen sites employ different methods for password
retrieval/reset by using innovative methods of authentication (See
Priceline, INGDirect). I hope this is because they are looking at the
problem holistically and am curious to learn the results.

HTH,

-Adamya
----- Original Message ----- 
From: "Samantha Bailey" <a2slb at bellsouth.net>
To: "sigia l" <sigia-l at mail.asis.org>
Sent: Monday, February 02, 2004 8:21 PM
Subject: [Sigia-l] secret question & answer


> Hi,
>
> Has anyone dealt with "secret question & answer" approaches to verifying
> authentication data (login & pwd(? We are working on an interface design
> that requires the user to select 3 questions and their corresponding
answers
> (from a total list of approximately 20 questions). Additionally we need to
> support the option of allowing the user to create their own questions for
> 1-3 of the 3 required questions (i.e., the user can choose two of our
> questions and make one up or any other combination they like).
>
> We're on our second iteration based on usability tests and unfortunately
our
> "improved" design actually tested *worse* the second time around. Our
tests
> have shown a few things:
> -users are confused by the "create your own" question option; for the most
> part they seem to find it a distraction and "overkill"
> -a number of users (the majority) are typing their own question into the
> answer box and not realizing that they haven't provided an answer (well,
> really that they've provided an answer in response to a question they
won't
> associate as "theirs")
> -some users feel that having to answer 3 questions is overkill
> -users think that they will have to remember the question *and* the answer
> and are worried about how they'll do that; something about the number of
> questions and the fact that they're choosing the question they want to ask
> seems to be leading to this conclusion
>
> Based on all of this, our feeling has been that it would be simpler to
drop
> the "create your own question" option, but our team doesn't have the
> last-say on that one, and it's going to stay one of the requirements.
> So...we have to get the interface working.
>
> Anyone aware of examples of secrete Q&A with create your own in an
interface
> you've liked? Any advice?
>
> We've kicked around a number of options and are now leaning toward
> presenting three question & answer interface boxes on the page with
"create
> your own question" as the last option in the drop down. If the user
selects
> this option, a dynamically generated insert box for the question and
answer
> will populate the screen.
>
> Am interested to hear how others have handled this. Will happily compile
> responses offline or on and send to the group. Thanks!
>
> Samantha Bailey
> samantha at baileysorts.com | http://baileysorts.com
>
>
> ------------
> When replying, please *trim your post* as much as possible.
> *Plain text, please; NO Attachments
>
> Searchable list archive:   http://www.info-arch.org/lists/sigia-l/
> ________________________________________
> Sigia-l mailing list -- post to: Sigia-l at asis.org
> Changes to subscription: http://mail.asis.org/mailman/listinfo/sigia-l
>

More information about the Sigia-l mailing list