Thursday, September 22, 2011

Random factoids I've encountered in authentication user research so far

I've been doing user research about the experience around security and authentication for about a year now. Through a combination of interviews, surveys, and diary studies, I'm trying to put together scenarios of what all that authentication is like for people, what the hassle factors are of authentication, and what the burden is. Are there productivity costs? Are there trust costs? Are the tradeoffs worth it?

Here are some factoids that are going into the models and scenarios: 

The average person has between 7 and 25 accounts that they log into every day. These are log-ins for computing devices, networks, software, and web sites. 

About half of the accounts people log into every day are necessary for their jobs.

People actually authenticate themselves -- prove who they are to someone or some system -- many more times in the typical day than they realize. 

People report authenticating about 15 times in a typical work day on average. This is probably grossly under-reported.

People have rational coping mechanisms: 
  • They try to use the same passwords in as many places as they can.
  • At work, they find the account with the strictest password policy, create a password schema to meet that, and use the same password in all the other places it will work.
  • Everyone has a personal password schema or algorithm that they think is unbreakable. They're proud that the organization's IT security people have not discovered their schema and made the password requirements stricter to eliminate their schema.
  • People will choose to do some tasks on one device over another because the authentication on one is easier (or embedded or automated somehow).  
  • People choose the strength of the password based on their perceptions of the importance of the account they're registering for. For example, many people say they use weak passwords for social networking sites and stronger passwords for medical and financial web sites.*
Nearly everyone records their passwords somewhere: paper, email, or password locker software. 

The stronger the requirements for a password, the more likely the person will write it down. 

The stronger the requirements for a password, the more likely it will have to be reset after being changed for expiration. 

The less frequently the password is used, the more likely it'll have to be reset at next use. 

Remote access to work systems keeps some people from doing work that they would normally do outside of normal working hours. 

At work, most authentication happens in the morning, and then in the early afternoon.

* This is probably a bad idea, as there is much more personally identifying information in a social networking profile and the security of the back-end systems is generally less stringent on social network sites than for medical and financial services web sites.


  1. Thank you for sharing your research findings! In this same vein, I conducted a cognitive walk-through study with groups of consumers on several banking & financial websites a few months back. We found these types of sites did a very poor job helping users set up accounts in the first place (e.g., poor labeling, poor location of link, tiny font size, not accessible from home page).

  2. Very valid points! I can relate to all of them, except the fact that relates to writing the passwords down.

  3. Its embarassing, but the conclusions on this XKCD strip are a huge damnation of most authentication procedures.

    Corporate (non-web) authentication procedures are the worst. Lots of ridiculous hoops to jump through.

    If you want a strong password, just put together the firstname, middle name and surname of your firstborn. Immune to computer based cracking and you will never forget it, or need to write it down.