Usability of Codes

Today I received a letter from my insurance company. They asked me if they could get my approval for sharing my insurance data between the companies in the insurance group. This is a quite common request, as it is illegal to share financial data without approval (in this country).

They then wanted me to sign-in to a special website, with my social security number and a special PIN code. It should be a simple thing to do, but it wasn't. The PIN was filled with 0O1l's. No matter how many times I tried, I wasn't able to guess the right combination of letters and numbers.

I eventually gave up trying to guess if O0 was and zero-O or O-zero, of if lRTl was one-R-T-one, one-R-T-I or something, and finally decided to send them a snail-mail letter instead. It is amazing that a simple operation could be such a failure simply because of a hard-to-use pin number.

It reminds me of 8 tips to serial numbers by Seth Godin:

Don't use 0 or 1 or O or I in serial numbers that combine letters and numbers. 0O1I42 is asking for trouble.
Never run a string of more than three identical numbers in a row. 89355555232 is bound to be a problem.
Don't be case sensitive.
Print the serial number larger than you think you need to. If you want the user to be able to read it to you, make it big. Then increase the size.
Think hard about whether you need a serial number at all. An email address is easier to remember and just as unique.
The number itself can carry useful data, like date of manufacture. If you're selling to business users, figure out how to integrate the serial numbers with their systems so they can coordinate with PO and other data.
[David suggests you break up your long numbers with dashes. 108-23-2219.]
With computers doing the heavy lifting, you can use serial words instead of serial numbers. If you have a combination of two words in a row, 100 words times 100 words is 10,000 combinations.

I especially like the last tip; to use words instead of numbers. Just as a pass-phrase is more usable than a password, so is a serial-phrase more usable than a serial number (or a PIN code).

Comments

billyboylindien - Jul. 2, 2008

The first advice is the most important and the less used :(

Thx

Jonathan - Jul. 2, 2008

Actually, no. 5 is probably the most under-considered. I recently attended a talk given by a consultant who specialises in the usability of security systems. Amongst many amazing facts, she mentioned that in 2002, British Telecom had a help desk of 200 (two hundred!) people whose job it was to do just one thing, 24 hours a day: re-setting BT employees' forgotten passwords. The call centre had been growing by 30% each year for the previous six years, and at that rate it was going to become unsustainable. By 2002 was already a major internal cost (she didn't know how big it is now).

Interestingly, it was BTs accountants, not their security team or (gasp!) designers, who pushed through usability measures to take the pressure off the system.

Thomas Baekdal - Jul. 2, 2008

he he, that is a great example Jonathan.

BTW: I know one way the security team and designer could "get off their lazy butts". Tell them to man the help desk for a week - and the problem would be fixed within the first day :)

Niels - Jul. 5, 2008

In addition to that Thomas;

Designers should always use their own products to run into the same problems as customers.

Thomas Baekdal - Jul. 5, 2008

Niels,

While that is a good advice in theory it is rarely possibly (unless you are 37signals and only make products for yourself).

Most of the web applications I make is for other people to use. People who have a different job than me.

I cannot use many of the web applications that I make personally, because they are not designed to fullfill my goals. Instead they are designed to solve a specific problem of another group of people.

Even if you could use your own products, it is rarely going to solve many of the problems that people will encounter.

As the designer, you know how it is supposed to work, what path you are supposed to take, and what you are supposed to be able to do based on a specific action. But 99% of all the problem people encounter is when they do something you did not intent for them to do, or when they take a different path - or simply because they do not have the knowledge you have, and thus do not understand what to do.

That said, spending time using your own products is very useful, and I which my insurance company had done so :)

Jonathan - Jul. 5, 2008

Mind you, the staggeringly poor standard of usability in security systems indicates that things like PIN codes, login journeys, user account management and related UI is a designer-free zone. Certainly, in my work I have never been able change the process of gaining access to systems. The implication is that if I did, I would somehow compromise security, so that these things should be left to "security professionals."

The trouble is, such people appear to know nothing at all about usability, and lack even the most rudimentary understanding its impact on the business, or indeed of the context of use of the system (Does it need a login at all? What indeed is the nature of the threat?). Such issues are neglected until, as in BT's case, the CFO has to scream at someone to do something before either the customer base, or the business itself, collapses.

That said, there have been some concessions over the last decade. For example, it used to be the case that credit card providers made their customers change their PIN codes every time they received a new or replacement card. Most issuers have quietly dropped that rule for the reasons we are discussing.

Finally, one should also consider the fact (verifiable, at least anecdotally) that "increased security" through things like longer passwords has the opposite effect. The disease (and that's a good way of characterising this) of applying both user names and passwords to absolutely everything, no matter how trivial or pointless, amplifies this sometimes to comedic levels. The aforementioned consultant also tells a story of how she was being given a tour of the offices at the HQ of a large bank. On the wall in a corridor was a picture of a team of people receiving an award of some kind. Clearly visible in the photo was a whiteboard with the words "Password for payroll admin is: 543JuPiter"

Thomas Baekdal - Jul. 5, 2008

Jonathan, instead posting a repy to your comment, which I generally agree with, I think I will write a new article about security vs. usability.

Stay tuned...