Evil Authentication Questions
Make sure when asking users personal questions for authentication reasons, that these questions CAN actually be answered by EVERY USER.
I used to work for a company that had an ID system that you had to log into to request access to a particular company website.
The problem was that the person who designed these authentication question clearly forgot to take into consideration the end user.
Some of the questions you needed to answer in order to log into this system were:
What is the name of your youngest sibling? [What are you supposed to say to this if you happen to be the youngest sibling? What if you are an only child? Obviously the person who came up with these questions only thought about their own situation]
What is your favourite football team? [What if you don’t watch football or have a favourite team? Are you supposed to make something up (that is lie) and then try to remember this lie everything time you need to access this system?]
What is your favourite Pizza? [Once again there are people who don’t like or eat pizza, and this is another example of narrow minded the designer of these questions was]
What street did you grow up in? [Well many families like mine moved and migrated a few times, and these days its rare for someone to live in the same street from the day they are born to the day they leave home]
No wonder no one could ever get into this poorly designed million dollar system, no one could ever answer such questions. And to make it worse, there was about 10 questions you had to answer each time! The only humorous part was the number of people who swore out loud each time they were unfortunate enough to need this system.
I personally was forced to answer ‘unknown’ and copy and paste the same response for each field, and then keep a copy of this in another text file (so I wouldn’t forget, seeing as there was another 20 systems I needed to log in, each with different login requirements and rules).
There are many ways around this problem, and I’m sure you can think of more, but here are 3 that spring to mind quickly:
1) Let the users define their own questions, so that there is a slight chance they can remember their answers. And for gods sake, reduce the questions to 2, instead of 10.
2) Create a drop down list of questions (appropriately worded so that everyone can relate to them) and let the user select the questions they want to answer. This way, if I don’t have a younger sibling, I can name my mothers maiden name.
3) If you’re going to insist on asking set questions, ask questions like what is your birthday? What is your mother or fathers name (give both options in case one parent is not known)
I’m interested in hearing your comments and thoughts on this topic. Has there been a horrible form you’ve had to fill in recently that make your blood boil?