Favorites are FAIL for web security

I don’t usually get into nitty-gritty interaction design issues like this on my blog. But I recently moved to a new address, and started new web accounts with various services like phone and utilities. And almost all of them are adding new layers of security asking me additional personal questions that they will use later to verify who I am. And entirely too many are asking questions like these, asked by AT&T on their wireless site:

badsecurity1

I can’t believe how many of them are using “favorites” questions for security. Why? Because it’s so variable over time, and because it’s not a fully discrete category. Now, I know I’m especially deficient in “favorite” aptitude — if you ask me my favorite band, favorite food, favorite city, I’ll mumble something about “well, I like a lot of them, and there are things about some I like more than others, but I really can’t think of just one favorite…” Most people probably have at least something they can name as a favorite. But because it’s such a fuzzy category, it’s still risky and confusing.

It’s especially risky because we change over time. You might say Italian food is your favorite, but you’ve never had Thai. And when you do, you realize it blows Italian food away — and by the next time you try logging into an account a year later, you can’t remember which cuisine you specified.

Even the question about “who was your best friend as a kid” or “what’s the name of your favorite pet, when you were growing up” — our attitudes toward these things are highly variable. In fact, we hardly ever explicitly decide our favorite friend or pet — unless a computer asks us to. Then we find ourselves, in the moment, deciding “ok, I’ll name Rover as my favorite pet” — but a week later you see a picture in a photo album of your childhood cat “Peaches” and on your next login, it’s error-city.

I suspect one reason this bugs me so much is that it’s an indicator of how a binary mentality behind software can do uncomfortable things to us as non-binary human beings. It’s the same problem as Facebook presents when it asks you to select which category your relationship falls into. What if none of them quite fit? Or even if one of them technically fits, it reduces your relationship to that data point, without all the rich context that makes that category matter in your own life.

Probably I’m making too much of it, but at least, PLEASE, can we get the word out in the digital design community that these security questions simply do not work?