SIGIA-L Mail Archives: Re: [Sigia-l] secret question & answer
Re: [Sigia-l] secret question & answer
This is probably a late response to your question. Still here it is for what
it is worth:
I have seen the 'create your question and answer' option throw up really
interesting results in iterative testing cycles. In the end I have been
driven to the conclusion that the result is not worth the trouble and is
inherently fraught with security issues.
If you do get the users to understand the intent there is no guarantee that
they will create 'unique-answer' questions (in fact, some users entered 'the
color of the sky?' or 'how do you spell cat?' as the question; some used
'best friend's name?' etc. only to say that they would probably forget the
answer and/or use trial and error).
That said, I have personally used the options that my bank gave me (3
successive Q-A's) to reset my password (thereby saving them the cost of a
call); I can't say they are totally without merit. I have also noticed that
many times the utility (or efficiency) of this mechanism is reduced due to
poor interaction design.
The following interaction tricks have had some success in the past:
1. Separate profile creation from the Q-A creation by keeping them on
separate pages. The cognitive load of creating 'unique' responses trips
people up; especially when they are entering their ID-password and possibly
other personal info.
2. Try to follow a wizard like interface and create the 'sets' one by one.
3. Make the process optional but explain the consequences (e.g. 1-3 business
days to reset by calling 800 number; might not be an option in some cases)
4. Nothing frightens users more than an empty field. Prepopulate the
create-your-own question field with the closest example of a unique question
('mother's maiden name?').
5. Provide extra messaging (1-2 succinct lines) and examples (again
unique-answer types) next to the question field. (Yes, they will copy and
paste!). Also look to provide fewer options around the fields (more white
6. Try to bolster the security of the retrieval by some numeric query (last
four of the social, month and year of birth etc.)
I have recently seen sites employ different methods for password
retrieval/reset by using innovative methods of authentication (See
Priceline, INGDirect). I hope this is because they are looking at the
problem holistically and am curious to learn the results.
----- Original Message -----
From: "Samantha Bailey" <a2slb_at_bellsouth.net>
To: "sigia l" <sigia-l_at_mail.asis.org>
Sent: Monday, February 02, 2004 8:21 PM
Subject: [Sigia-l] secret question & answer
> Has anyone dealt with "secret question & answer" approaches to verifying
> authentication data (login & pwd(? We are working on an interface design
> that requires the user to select 3 questions and their corresponding
> (from a total list of approximately 20 questions). Additionally we need to
> support the option of allowing the user to create their own questions for
> 1-3 of the 3 required questions (i.e., the user can choose two of our
> questions and make one up or any other combination they like).
> We're on our second iteration based on usability tests and unfortunately
> "improved" design actually tested *worse* the second time around. Our
> have shown a few things:
> -users are confused by the "create your own" question option; for the most
> part they seem to find it a distraction and "overkill"
> -a number of users (the majority) are typing their own question into the
> answer box and not realizing that they haven't provided an answer (well,
> really that they've provided an answer in response to a question they
> associate as "theirs")
> -some users feel that having to answer 3 questions is overkill
> -users think that they will have to remember the question *and* the answer
> and are worried about how they'll do that; something about the number of
> questions and the fact that they're choosing the question they want to ask
> seems to be leading to this conclusion
> Based on all of this, our feeling has been that it would be simpler to
> the "create your own question" option, but our team doesn't have the
> last-say on that one, and it's going to stay one of the requirements.
> So...we have to get the interface working.
> Anyone aware of examples of secrete Q&A with create your own in an
> you've liked? Any advice?
> We've kicked around a number of options and are now leaning toward
> presenting three question & answer interface boxes on the page with
> your own question" as the last option in the drop down. If the user
> this option, a dynamically generated insert box for the question and
> will populate the screen.
> Am interested to hear how others have handled this. Will happily compile
> responses offline or on and send to the group. Thanks!
> Samantha Bailey
> samantha_at_baileysorts.com | http://baileysorts.com
> When replying, please *trim your post* as much as possible.
> *Plain text, please; NO Attachments
> Searchable list archive: http://www.info-arch.org/lists/sigia-l/
> Sigia-l mailing list -- post to: Sigia-l_at_asis.org
> Changes to subscription: http://mail.asis.org/mailman/listinfo/sigia-l
When replying, please *trim your post* as much as possible.
*Plain text, please; NO Attachments
Searchable list archive: http://www.info-arch.org/lists/sigia-l/
Sigia-l mailing list -- post to: Sigia-l_at_asis.org
Changes to subscription: http://mail.asis.org/mailman/listinfo/sigia-l
This archive was generated by hypermail 2.1.6
: Fri Feb 06 2004 - 02:52:33 EST