The attached screen grab of a drop down list is a real list of security questions you can select when creating an account with a major international non-profit. The goal of a security question on a website or web application is to ask you questions only you would know the answer to, in the event you have forgotten your credentials (username and/or password). While this is often times overlooked in the discussion of usability this functionality clearly falls under the UX umbrella, because the system you can’t get access to is the least usable system of all.
So where are the usability issues with this list, and how can this be improved? Look over the list to see if you can recognize the potential issues and then review the following list of tips:
Try to keep the question to something that can only have a single answer. There are probably numerous memorable people from our childhoods. The one that may pop into my head first may not be the same one that pops into my head the day I can’t remember my password. Additionally, many of us have had or still have two grandmothers. Pet’s also don’t live as long as humans. Which grandmothers pet and which pet’s name should I provide?
Don’t ask a question that might lead to different answers on different days. While the question suggests there could only be 1 favorite teacher, the name I give now for my favorite teacher may be different than the one I give 6 months, or 2 years from now.
Try to keep questions formatted in a way that would prevent input errors by the user. Does the order I enter the year, make and color of my car matter? What if I had entered commas to separate the items when I answered the question initially? Will I have to remember to put those in as well down the road?
Avoid questions that can be impacted by future events. My nearest sibling may live in the city next to me today. That doesn’t mean that will be the case down the road should that sibling move across the country. My favorite appliance today may be from Whirlpool. Tomorrow, it might be from Samsung. Down the road, it might be apple or Google. What if I read a new book in 6 months? Will the lead in that story become my new favorite character?
Try to ask questions that the user has a high likely hood of having an answer for. Asking someone who their least favorite person from history isn’t a great question, especially if they are not interested in history or have not spent time in the past considering who these individuals might be.
Try to find a question that the user would prefer to answer. If most people don’t know the user by a certain nickname, there may be a reason for it. It could be that they didn’t like the nickname and don’t care to have its usage persist it any further.
Don’t pick a question that can be easily guessed. Studies have shown for decades what most people are most afraid of. It probably wouldn’t take more than a few guesses for a hacker to come up with “public speaking”, “dying”, “spiders”, etc.
Try not to be too ambiguous with your question. My favorite game as a child could be a board game, card game, video game, or playground game. A little clarification here helps keep the user from having to cycle through the various options.
Ultimately, the goal with functionality like this is to allow the user to support them self without the need for a phone call to your organization for additional support (or worse, going elsewhere). It’s hard enough for most people to remember all the passwords they have. The functionality to retrieve a password shouldn’t be introducing more issues to the problem in addition to that.