How to Frustrate Your Site Users

AT&T is my home telephone provider. I switched from MCI WorldCom (remember Bernie Ebbers now incarcerated for fraud and conspiracy) because MCI couldn’t understand that they needed to come to my newly constructed home to actually connect the phone wires from the outside of the house to the inside switch box. You don’t want me to start that rant. Let’s just say I will never be a customer of MCI or whatever they’re called, ever, ever again. Not in this or any future life!

Back to the post. My credit card was re-issued with a new number so I needed to log onto the AT&T site and update my payment details. Hadn’t been there in a while because I am enrolled in auto payment and turned off my paper statement. The less I think about my phone company the happier I am.

I typed in att.com and was taken to the home page. When I clicked on My Account I landed here.

Perfectly attractive page at first glance, but the Cingular acquisition has added complexity. Three places to register, login or get support. Pretty well designed and labeled except for U-verse. What’s U-verse, another planet? In short order I found the home phone section, clicked login, and entered my credentials. So far so good. Since I last logged in they added two factor authentication to the site. Two factor is a federal regulation for some industries and others have adopted it as another layer of protection. It often takes the form of question and answer, knowable only by you. Turns out that when users set them up, they are so secret they can’t even answer them.

AT&T is a case study in why they can’t be answered. Here are the questions offered to me in the drop downs.

First and foremost best practice site designers need to follow in selecting these questions is the answer should never change over time. Your father’s middle name will always be the same, and very easy to remember, but what country you would like to visit can shift over time. Almost none of their questions pass this test.

This means returning users will have a much higher likelihood of failing to answer the questions correctly, become frustrated and call customer service. The exact opposite result that AT&T and the customer desires. Using personas and goal-directed design techniques would reveal that a meaningful amount of time will pass between logins. Don’t expect users to remember details that they rarely think about. It’s not a test. Back to the drawing board.

Digg!

2 comments

  1. Just to clarify – asking a “secret” question is not two-factor authentication, it’s just more of one factor authentication. Two-factor is like an ATM card – something you have and a PIN -something you know. In fact, you can argue that this reduces the security because someone can guess this information and own your account. This isn’t even a security application – it is designed to reduce support calls.

    I have posted about the security of cell phone services and their reasoning on my blog: http://www.wikidsystems.com:8080/import/com/WiKIDBlog/why-using-sms-for-authentication-is-a-bad-idea

    You’re spot on about the questions though – they should not change. I think you will also find this of interest: http://consumerist.com/376845/flawed-security-lets-sprint-accounts-get-easily-hijacked%22

    Nick

  2. Nick, Thanks for the two-factor correction. I have edited the post and called it “stronger authentication,” more accurate. When done correctly (not like AT&T or your post about Sprint) it can help protect online accounts. Not make them bulletproof, but one more speed bump. I know from experience at my firm that adding stronger authentication has increased support calls, not reduced them. Appreciate you taking the time to comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s