“Innovation has nothing to do with how many R&D dollars you have. When Apple came up with the Mac, IBM was spending at least 100 times more on R&D. It's not about money. It's about the people you have, how you're led, and how much you get it.” - Steve Jobs

Authenticating users … the elephant in the living room of usability

Security is a reality that faces many of the types of applications we use. Computer systems all over the place want to be proof-positive that the person requesting information is authorized to get that information. Sounds good to you right? I mean I don’t want anyone reading my informaiton by me, right?

Sounds very feasible, eh?

Then why are there so many ways for people to get around this little issue. Almost every browser comes with some sort of authentication?

The reason is that passwords and usernames in any form is not part of any natural user mental model.

Why is that? There are plenty of analogs in the non-digital world. Combination locks, keys to our car and house, the push button alarm for a car alarm, the combo pad for our home alarm system, our mother’s maiden name + some other info when calling a financial institution, or even our card + PIN # for the ATM.

All of these seem to be quite “user friendly” (arguably) compared to the username/password combos that abound on the Internet.

First let’s think about this in terms of scope and scale:

For Home:

  • 10 e-mail accounts (ok that is a lot)
  • 3 Instant Messaging (IM) accounts (this is only b/c some of my IM accounts are also e-mail accounts)
  • 50 e-commerce sites including travel sites (Expedia, Delta), stores (NetFlix, Amazon, Barnes & Noble, Best Buy, iTunes)
  • 3-5 Search engines (A9)
  • 3-7 Financial Institutions (bank, trading, PayPal, credit cards)
  • 3-10 for home IT (router/firewall, ftp, blogware, privacy software, Vonage, SprintPCS, Vindigo)
  • 2 photo-sharing (Flickr & Ofoto)
  • 4 Social Networking (Linked In, Ryze, Orkut, Friendster)
  • 5 Subscriptions (NY Times, Consumer Reports, Business Week, Salon, etc.)
  • 5-10 software registrations (Adobe, Macromedia, Microsoft, McAfee, Trillian, etc.)
  • 20 e-mail lists (mailman is the bane of my existance, but it is free so everyone uses it)
  • 5 or so Organizations (IAI, AIGA, ACM/SIGCHI, IxDG, UXNet)
  • 20 miscellaneous that I can’t think of now

For Work (1 each):

  • Windows Domain
  • MacOS X User login
  • Lotus Notes
  • Lotus Notes for the Internet (yes they are different)
  • Corporate Extranet
  • Expense Management
  • Timesheets
  • Defect Management
  • Requirements Management
  • Payroll
  • Time off requests
  • Problem Ticket (internal help desk)
  • Voicemail (yes, that counts too)
  • Corporate Travel Site
  • Corporate Credit Card
  • AND … we also have an RSA digital key for our VPN

I didn’t even include all the passwords I have to remember in being involved with for the Interaction Design Group (IxDG), UXNet, and other orgs.

So OBVLIOUSLY, we have a problem here, right? And as mentioned above there are some solutions, but almost all are overly contextual, and very hard to manage. For example, almost every major browser will try to remember a username/password combination for the web sites you go to. Of course it is WAY too easy for many a site to break this. They do this on purpose so that they are more secure. Yes, thank you for making it more secure and making my life more intolerable.

But actually the usernames and passwords I have to type on a regular basis are the ones that I remember. Yes, this is an obvious causality, but people still don’t criticize the efforts that we go through that make us not remember our passwords so when we enter that situation when we do have to remember them, we can’t and have to go through the HORIBLE process of trying to recover passwords and sometimes even usernames.

Then what’s worse is that every site/application we go to has a different set of rules for passwords:

Be sure your password is no fewer than 8 characters, it is not a real word, it contains at least 1 letter, 1 numeral, and one special character (e.g. &, $, %, &).

Of course the very next site you go to is going to say something different that counters the above, like no special characters allows. Huh?

And what about usernames. This one is taken and that one is in use, and you can’t have a space, or you can’t have a special character, or we just want you to use your e-mail address as your login ID.

Of course every new user to the Internet wants to tear his or her hair out.

And this is only one side of the whole security issuenamely making sure that you are who you say you are. This doesn’t account for all the security we are forced to go through that is just meant to make sure we are human beings. Yes, you know what I’m talking about. Have you ever seen something like this:

not scannable test to input

Yes, if you’ve ever bought tickets on Ticketmaster online you’ve seen this, or if you’ve entered a comment on this blog. ;) While this isn’t very friendly for blind people, it is an effective way to stop non-humans from using a service. The above example was actually taken from Google’s Gmail. But really, what a nuisance. I guarantee there isn’t a single study anywhere that can show me that some user wanted to fill out a THIRD field that required them many times to squint and scooch up closer to their monitor.

Let’s not forget all the other stuff you already had to fill out and my favorite is the part of the profile set up where you prepare for that moment when you have to ask for your password again. You know, where you choose a question like “What is your mother’s maiden name?” and you type in the answer.

The good one of these, well, there are none, but if I had to pick the lesser of two evils, I’d have to say is when you get to write both the question and the answer. But if I was going to remember this for you anyway, why not just make these my username and password? Oh! because they don’t even tell you your password at this point–if you got this far. Noooooo … they first have to send you your password, or a temporary password, to your registered e-mail address–yet another ID, eh?

Some companies are fed up with these methods and are taking action. Usually in areas where security really counts. You get a single card-based solution that is matched against a Personal Identification Number (PIN) like an ATM, and like an ATM card, the card is given to you through proper channels (physical). They want to have people be digitally certified to these cards so they can be used across multiple programs. A central ID clearing-house is being used for these special efforts and being managed by a consortium of banks, pharmecuetical companies and independent software/hardware service providers such as Identrus.

Services like passport.net by Microsoft also attempt to simplify password management by allowing people to use multiple seemingly unrelated services through a single authentication process. Obviously, this has not really taken hold, as I’m sure the expense of implementing this system or the one mentioned above are quite high.

There are so many existing networked identification methods that people would not mind being leveraged if only they could. Social Security #’s, Credit Cards or Bank Debit Cards, Cell Phones, etc. But none of these will come to fruition until there is enough of a clamor from the masses that we just can’t take it any more.

Be Sociable, Share!


The archives run deep. Feel free to search older content using topic keywords.