Broken friendships, dead teachers, and website authentication
Authentication security questions, by design, evoke unexpected nostalgia.
Who was your favorite teacher? Your first pet? Your first significant other?
They ask you to recall rich emotions and memories on a regular basis…hopefully without robbing them of their poignancy over time. But hopefully without dredging up unwelcome emotions at inopportune times, too.
My favorite teacher died 10 years ago, and I didn’t learn about their passing until a couple of years after the fact. It broke my heart. I cried when I found out. And the question still makes my heart lurch a bit when I’m presented with it upon logging onto, of all things, my credit card website from a new device.
Of the questions that these sites offer you to answer, some have immediately obvious answers to an individual while others don’t. And some just flat-out can’t, or shouldn’t, be answered or used.
For example: what’s your father’s middle name? My parents don’t have middle names. It’s not typically done in South India. So I’m not picking those. (There are hundreds of millions of us to whom this applies worldwide, and yet, it’s still a widely available question.)
Others aren’t hard to figure out from my social media activity or just from getting to know me. So I avoid those. (Why would such obvious questions even still be offered up, knowing that not everybody is savvy about cybersecurity and how their online footprints can be tracked and abused?)
United Airlines was ridiculed almost universally for their alternative approach, which is essentially a set of multiple-choice questions. However, at least they tried something different. What is your favorite wintertime activity? is far less emotionally charged than, who was your childhood best friend?
And that question evokes another bittersweet memory. I was a naïve and sheltered twerp without a fully developed sense of emotional nuance, and that led to an awkward breakup with my childhood best friend. And after that, living in Japan while on the JET Program changed me profoundly, and I drifted away from many of my friends (including my high school/undergrad best friend).
So, yeah. That’s another security question whose answer stings. It at least makes me reflect on how much I’ve grown, and that I do like the person I’ve become and that I’m a much better friend to the people in my life now. But it still dredges up those past moments of sadness and pain. And I’m not exactly in the mindset to engage in personal reflection when I’ve forgotten my password while trying to order lounge pants.
Of course, it’s not like one has to answer truthfully. It’s not like anybody’s checking the veracity of your content; it’s ultimately just about a pattern match. (So I could put in my current celebrity crush for, what’s your spouse’s name? Helloooo, Matt Smith.) But then you have to keep your fake answers straight, which involves another level of abstraction and/or mental load. So, like with pretty much all things in life, the truth is easiest. And technology that lets you be true — and kind — to yourself is best.
Of course, that’s not how it actually works. Get a load of this train wreck of a security question that I spotted recently:
What’s the name of your favorite child?
Let that sink in.
A security question for some random and inconsequential website is catering to — or encouraging?! — the cultivation of terrible value systems, and urging parents to admit that they love one of their kids more and their other kid(s) less.
Upon searching for it, apparently JetBlue used this in a cutesy, tongue-in-cheek way in 2019, and went viral for it for obvious reasons. But it was on another site where I saw it recently, perhaps copying them. And whether it’s tongue-in-cheek or not…I didn’t really find it funny. And I’ll bet other people — for example, actual parents with actual kids — probably haven’t, either.
Designers have to consider how their work can be misinterpreted or harmful. It’s our responsibility. It’s our mandate. As part of ensuring we don’t design for ourselves, that also includes not assuming the same emotional, psychological, and sociological reactions. Our work can be — and, in the collective sense, absolutely has been — abused and/or triggering, in minor or major ways.
And that includes security questions, which are like your virtual key ring.
(Never mind the question of whether security questions themselves are still an effective form of security; there’s still plenty to be interrogated and examined here, within these current patterns of use.)
In this case, the “keys” are links to your past that you may or may not want to think of with such regularity.
I keep a (rather battered but still grin-evoking) Gudetama Awa Odori dancer figure and a Lego stormtrooper flashlight on my keychain. My friends and family use keychains they bought on past vacations that recall happy memories for them.
None of us have pendants on our physical keychains with pictures of our deceased teachers.
