You have to skate a pretty thin line between security and usability some times. Internet users have literally hundreds of passwords to remember for the sites they use on a daily basis and while I might not mind so much if my youtube login was compromised, my bank account being hacked would be a serious hassle. So, how do we design a security system that protects the user’s information while keeping it useful to use?   From a company perspective I see a few possible scenarios that might explain how some sites end up being released upon the public:

1. The IT department have their evil way – In this hyperbolic generalisation the likely result is that the user is subjected to a very plain looking site that’s nigh impossible to use, but in the background there’s all sorts of sophisticated technology churning away like some unholy robot. If you can find out how to log in to the site, it will probably never crash, but you’ll never find what you want.
2. Let the marketing department have a shot –  The site will look beautiful; straight out of a powerpoint pitch. Curvy corners everywhere, Flash animation pumping out platitudes and the entire thing festooned with nebulous marketing jargon like a debutante streaked in fake tan and regret on the morning after her debs.  The site will do absolutely nothing of any value to the end user but it looks beautiful.

Neither of these solutions seems to deliver a fair and balanced representation of the company’s efforts, so usually you end up with option three – The Committee. This is where you collect all of the people in a company who aren’t important enough to have better things to do and subject them to a meeting. The demotivation poster site tags a meeting of this sort with the catchphrase “…because none of us is as dumb as all of us”.  Somehow the design-by-committee process delivers the worst that the IT department and the Marketing department can come up with, all bundled up with the ribbon on top of the token executive who wants his stamp put on the design somewhere.

This is sometimes referred in software as “designing a garden shed”.  The theory goes that if you present your well-researched and triple-checked plans for a nuclear power plant to a committee, the plans will be approved on the basis that it’s a complicated business designing a nuclear power plant, and you must surely know what you’re doing and look at his shiny suit… is it time for lunch? If you present a plan for a garden shed, your likely outcome is that you leave with a list of additions and suggestions that need to be implemented before it could possibly be signed off. The placation of ego dictates that a committee can’t resist adding their own personal touches to your shed, and eventually you have a water-feature and solar powered bird-frightening device bolted on to the front door.

So, where am I going with all this? Earlier this week I tried to log into my Ulster bank business account. Admittedly part of the reason I’ve had trouble with it is that I rarely use it. Generally I’m going to take a peek when an invoice is due, or when I need to write a cheque to the taxman so they can give it back to the bank in the form of some sort of bailout.  Ulsterbank’s online business bank account is the bastard offspring of The Committee.  The security for the login succeeds in making the site actually less secure while having the benefit of driving me insane. The process involves:

1. A customer number – Fair enough, a reasonable question.
2. A user ID – er… alright, I suppose this must be relevant if I had twenty people logging in.
3. A pin number. Random digits please – Eh.  Ok… Did I pick that, or did you give it to me?
4. A passphrase over ten characters, must include numbers – You what now? You want characters 11, 14, and 2? *ponders* Wasn’t my password only *counts on fingers* 11 characters long?

Granted – If you’re using this daily maybe you’ll manage to memorise these four pieces of information, but me?  The last time I logged in (the third time I’ve ever logged in) I had to change the password.  And now I have absolutely no idea what it is. Eureka! With this new internet thing I can have the nice people reset my password, or maybe send me a link to reset my password, or just bloody well tell me my password?

Here’s the “help” screen –

Wonderful! You have successfully informed me of how to enter numbers into a box on a website! My parents will find solace that my years of education were not wasted. I finally found a “contact us” page where I asked them (actually not so) nicely for a password. I’ve yet to hear a response. Also, this form required about 8 different forms of information, including my age. How is that relevant?

Is this login process less secure? If I’m a casual user of this site I’m left with four pieces of information which I have to remember. The chances of me remembering one of these pieces of information is pretty good, all four? Probably a longshot. The end result is that I’m going to write down my password, pin, customer number, and user Id on a post-it and put it onto my monitor. If I’m smart, I might put it into my wallet as security expert Bruce Schneier recommends.  I don’t believe the average casual user will do that and I think the hassle of needing to remember four different bits of information is beyond necessary. It could be argued that security is adequate, but it’s such a hurdle to usability that there has to be a better way.

The Alternatives?

I use two other bank accounts – AIB for my current account, and Rabodirect for savings. How do they differ?

AIB

1. Customer registration number provided by them. Reasonable, they need to know who I am.
2. A pin provided by them – I can handle that, username and password. I can dig it.
3. Random digits of a number I am very familiar with – Credit card, phone numbers. Easy peasy.

This essentially means I need to remember two pieces of information, as one is so familiar to me that it’s unlikely I’ll forget it unless I get hit on the head.

Rabodirect

1. Customer registration number provided by them.  Fine.
2. A number provided by my magic little decoder box  thingy, once I enter my password.

So with Rabo’s handy-dandy little decoder box thingy, I enter my password and it gives me an authentication code to enter the site. Two pieces of information, easy to remember. I use Rabo’s site about as often as I use Ulsterbank’s site, and it’s not confusing.

Applying these lessons to general design principles:

1. Avoid design-by-committe by any means necessary. Someone who represents the users of your site needs to have final approval of the design, and strong opinions.  Stop mediocrity before it happens.
2. Don’t expect users to do things that you wouldn’t do. Don’t have sign-in forms that require twenty pieces of information. Don’t have an online shop that doesn’t display the price until you hit “checkout”. Don’t have a “help” popup which tells someone to put a number into a $%”£%ing box!
3. Less is more – Avoid the garden shed. Avoid marketing jargon. Avoid unnecessary flash intros. Avoid AJAX where it doesn’t provide any benefit. Not everything needs to get into the design. Bruise a few egos if it makes your site better for your users. Cut it down to the minimum that works and then wait for feedback. If something is obviously missing you’ll be told soon enough.

Update 5th May 2009 – Looks like I’m not the only frustrated customer.

• Caelan King has expressed similar displeasure  at Ulster Bank’s Bankline System.
• Conor O’Neill also wants Bankline to use less security.
• I’ve still to receive a response to the email I sent UlsterBank.