1 post tagged “password”

View other items tagged “password:” Photos, Audio, Videos, Books or Links. View “password” on Vox.

Multi-Phase Authentication Gone Wrong

Today I had to reset my BarnesAndNoble.com password because I hadn't shopped there in such a long time that the notes I had for my account info weren't working.  After entering my email address, I received an email stating

"To ensure the security of your account, we require you to reset your account password. Please click the link below. You'll be asked to enter the last 4 digits of a credit card number you have used previously at www.bn.com. Once you complete that step, you'll be directed to reset your password. The link is active for 24 hours."

This seemed reasonable until it became apparent that I hadn't used any of the cards I've been using the last few years to shop there.  After the first few tries it became apparent this is a ridiculous measure for anyone with more than a few credit cards.  I was almost unable to finish the reset until I remembered an old credit card stuffed in a drawer that turned out to be the one. 

Cycling through the digits from my entire group of credit cards didn’t fill me with confidence in the security of the system, but it did cause me to get so annoyed that I considered avoiding ever shopping at barnesandnoble.com again.

I appreciate the importance of multi-phase authentication architectures, but calling for information that isn’t likely to be known by the user (what card did I use when I shopped at B&N?) is bad design.

A better solution?

Because I'm focused on answers, here's what I would propose instead.  Ask for another piece of information that the user is likely to know. 

This could be in the form of a multiple choice question.  A great model for this approach are the credit reporting agency websites.  They'll have a question like, "How much was your mortgage amount?" and list various options.  Applied to B&N, this could be something like "To whom have you shipped a gift purchase to?"  List five choices with four of the choices being randomly generated fictious people (or all fictitious with "none of the above" as an option).

If it's really necessary to authenticate based on the credit card, the system could display the last four digits of the credit card and ask for the associated verification number.  Just don't make the user go through the tedium of entering every possible card until they get lucky.  Obviously, if the user needs to reset their access info, they haven't been to the site in a sufficiently long time to forget the details of any transactions that may have taken place.

(For completeness, the B&N web team did allow a user to create a new account, but why would I want to do that?  Will I loose my account history?  What's the impact of that option?  I shudder to think of where that route would have lead.)

Post a comment Tags: password, security, authentication, e-commerce, user accounts, reset password