Favorites are FAIL for web security

I don’t usually get into nitty-gritty interaction design issues like this on my blog. But I recently moved to a new address, and started new web accounts with various services like phone and utilities. And almost all of them are adding new layers of security asking me additional personal questions that they will use later to verify who I am. And entirely too many are asking questions like these, asked by AT&T on their wireless site:


I can’t believe how many of them are using “favorites” questions for security. Why? Because it’s so variable over time, and because it’s not a fully discrete category. Now, I know I’m especially deficient in “favorite” aptitude — if you ask me my favorite band, favorite food, favorite city, I’ll mumble something about “well, I like a lot of them, and there are things about some I like more than others, but I really can’t think of just one favorite…” Most people probably have at least something they can name as a favorite. But because it’s such a fuzzy category, it’s still risky and confusing.

It’s especially risky because we change over time. You might say Italian food is your favorite, but you’ve never had Thai. And when you do, you realize it blows Italian food away — and by the next time you try logging into an account a year later, you can’t remember which cuisine you specified.

Even the question about “who was your best friend as a kid” or “what’s the name of your favorite pet, when you were growing up” — our attitudes toward these things are highly variable. In fact, we hardly ever explicitly decide our favorite friend or pet — unless a computer asks us to. Then we find ourselves, in the moment, deciding “ok, I’ll name Rover as my favorite pet” — but a week later you see a picture in a photo album of your childhood cat “Peaches” and on your next login, it’s error-city.

I suspect one reason this bugs me so much is that it’s an indicator of how a binary mentality behind software can do uncomfortable things to us as non-binary human beings. It’s the same problem as Facebook presents when it asks you to select which category your relationship falls into. What if none of them quite fit? Or even if one of them technically fits, it reduces your relationship to that data point, without all the rich context that makes that category matter in your own life.

Probably I’m making too much of it, but at least, PLEASE, can we get the word out in the digital design community that these security questions simply do not work?

Author: Andrew Hinton

I use information to architect better places for humans. More at andrewhinton.com.

6 thoughts on “Favorites are FAIL for web security”

  1. Slightly OT but I highly recommend 1password (if you are on a Mac) which is great for storing all that data, as well as generating secure passwords. I’m sure you could extend it to those security questions too, since it doesn’t matter what you put there, as long as you remember it right (and having something which stores all that certainly helps).
    I put my 1password keychain in dropbox which not only adds an extra layer of security but means I can access my passwords wherever.
    It still doesn’t solve the issue of how we get the wider community to adopt better security management however which is IMHO is the heart of the issue rather than the mechanism we use to retrieve passwords. All the options we have currently – security questions, entering personal details along with your email or username or receiving an email with your password – are problematic in various ways.

    1. I suppose I should’ve said “most favorites” — but I still wonder why even go there, if there are enough stable facts in people’s lives you could use. But again maybe it’s because I’m especially absent minded about these things, and can’t remember what I decided.

      Good point on the example – I meant to put two graphics in there, but got lazy and just had the one.

  2. They also usually fail to be case-insensitive, so even if you remember your favorite friend’s name, you’re likely to fail on capitalization. Not to mention trying to remember whether you typed their first and last name, or just their first name, etc.

    The whole “security question” model is, itself, completely broken. It’s based on telephone-based customer service, where a human being can interpret your amorphous answer better than a computer form field can. We have the email-based password reset model now, so the security question can probably be left in the ash heap of history.

    1. @chris a belated reply… but you have a great point, it really should be ash-heaped. But it seems like everybody’s doing this stuff just to cover their ass. Someone else is doing it, so they have to do it too, because if they don’t and somebody sues them, they could be called to account for not having security like their peers. At least, that’s what seems to be behind this and other crap like the “choose a picture” thing.

Comments are closed.