Useit.com Suggests a Balance Between Security and Usability
Jakob Nielsen wrote an excellent piece called Security & Human Factors for his Alertbox series. In it he points out many of the obvious problems with password-based security systems in general, and the security provisions imposed by corporate IT departments in order to minimize the risk of password misappropriation in particular.
Things like minimum password length, denial of password reuse, and short password lifetimes almost guarantee increased technical support costs due to end-user confusion.
CTDATA increased security on many of our systems last year, and our experience is that the increase in support costs has greatly exceeded the increase in overall system security. If we had to do it over again, we would have sought a different solution.
We think the best security systems ask the user to provide either:
- more than one piece of personally identifying information that cannot be provided without access to multiple personal identity documents, or
- user-supplied questions and answers that allow a Web application to identify a user with 90 to 95 percent certainty (example: What's your favorite color?)
Security mechanisms as simple as these can be implemented if authentication failures are being logged and analyzed in real time.