Problem one: Primary task disruption
I was on a mission when I landed on the Presto site, and it was fairly time-sensitive. Presto interrupted this intended task with its own time-consuming task. A quick account check that should have taken 30 seconds ended up taking close to 10 minutes. Fail.
Problem two: Timing
While ensuring account security is definitely important, Presto chose a very inopportune moment to pursue it. Transit interactions are more likely than average to be time-sensitive. They tend to be things like “Quick, I need to add money to my account!” or “Quick, give me the schedule for the next bus!” Mobile interactions are even more likely to be time-sensitive because the user is often, well, mobile. They’re on the move with less time and less attention to offer an interaction than someone sitting at a computer.
Here’s the thing: Lack of time and attention are two things you never, ever want to combine with security features. Don’t rush security tasks.
When setting up account security you want your user’s full attention. You want them to be able to seriously consider the information they’re setting up, have time to double-check it, and have enough available attention to recall the interaction later. Presto’s timing was poor — they not only hijacked my primary task, they did it at a time when I was using a tiny screen, distracted, with little attention to spare.
Problem three: Poor question choice
Since I was standing in a store and needed to verify my card information stat, I had no choice but to let Presto make me set up some security questions. How hard can it be to choose three questions, right?
Sadly this proved surprisingly hard.
Presto’s account security questions were pretty standard but that doesn’t mean they were good. For example:
“What is your favourite movie?”
“What is your favourite sports team?”
“What is your favourite pet’s name?”
Presto is definitely not the only company to use questions like these — a lot of organizations use them, and unknowingly create issues for themselves in the future.
What’s the problem? These types of questions have answers that can change over time. Your favourite anything can change. Today my favourite movie might be Indiana Jones but a year from now it might be the next Marvel movie. Answers that can change over a few months or a year are not good choices for security answers.
This got me thinking afterwards about better options and I realized just how tricky these questions can be. They need to have long-term, reliable answers but they also need to have a set of potentially infinite answers so that hackers can’t guess your response. For example this means questions like “What colour are your mother’s eyes?” would be a poor choice, because there are only so many eye colours and a hacker could easily run through the limited set of possibilities to find the right answer.
Answers also need to be easy to spell accurately (and consistently), and they need to be easy to remember.
Those are just the criteria I came up with, and some curious googling turned up an even better list that specifies Safe, Stable, Memorable, Simple, and Many.
Of the 10 options Presto gave me for security questions, five involved favourites. That reduced my good options to the remaining five, two of which involved a serious risk of me spelling my answer incorrectly. And of the remaining three, one ran me into the last of the big issues…
Problem four: Poor error prevention & messaging
So of 10 security questions, only three of the options looked viable for me. I dutifully tried to set up those three and hit another snag. Presto obscured my answers as I typed, which is certainly more secure but also created a problem. What if I mistyped? How could I be sure I’d entered my answers correctly?
Typing on a phone is challenging at best — it’s easy to hit the wrong letter even if you’re paying full attention. Obscuring my answer as I typed meant I couldn’t verify that what I was typing was in fact correct. And if there was a typo? That spells t-r-o-u-b-l-e down the line in the form of failed security checks. Most companies offer a show/hide option on fields like this, but Presto didn’t.
What’s more, their error messaging as I filled in answers proved less than helpful: