Supporting password recall through design
Human memory is the downfall of all password security systems, making most harder than they need to be.
Name
- Foolproof Team
Date
- 15th April 2014
There’s some debate as to how many password-protected products a person has, but it’s in the region of 50.
While designing credential systems for security is always a priority, businesses often neglect to design to effectively support human memory. I was recently reminded how important it is to consider password recall when designing online log-in processes. Away from home on a short break, I needed to access my online banking. So, I opened my (infrequently used) app, and was prompted to enter three numbers from my six-digit ‘passnumber’. Despite logging into online banking on desktop at least weekly, I drew a complete blank. What was my passnumber again?
Unknown to me, the mobile app had omitted a step which I would normally need to complete on desktop – disrupting my usual task flow. I guess this is a bonus - fewer pieces of information for me to remember and one less step in the process – but it interfered somehow with my mental recall.
Terminology confusion
I don't refer to my own details using the ‘passnumber’ terminology used by the bank at all. I just know to enter two numbers (one in full, one in part) and a word, in sequence. It struck me that I'd never consciously engaged with this process before, my fingers and subconscious brain had done the work for me, through habit built up over time, practice and familiarity, on my PC.
I tried and failed several times before being locked out of my online banking for three-five working days. After re-registering, I received my new six-digit passnumber in the post, along with the message: "Memorise it and securely destroy the tab. Your details are personal to you and should be kept secure. Never write them down". The number didn’t feel ‘personal to me’. Expecting your customers, particularly infrequent users, to be able to commit a meaningless six-digit number instantly to memory is ambitious.
Cross channel (in)consistency
There were inconsistencies in the experience and process between the desktop and mobile channels, both in terms of the credentials that were being asked for and the visual design and layout of the fields.
Most customers who bank with my provider have been transferred to using their card and reader to log on to online banking. So, why on the App do they revert to the Memorable Information (MI) model and ask for a passnumber? Are users now expected to remember their MI for logging in on mobile, but a different process for desktop?
In order to support users' mental models and learned behaviours, consistency across channels is important. Of course, it makes sense to streamline and fast-track the experience on mobile, but without losing some familiarity and consistency with the desktop journey. For instance, if my customer number had been visible on the page and pre-filled, I might not have got this mixed up. If the field layout had been visually consistent (the dropdowns are presented horizontally on mobile vs. vertically on desktop) this might have triggered me to know which number I should enter.
Motor memory
My usual process for entering my customer number on desktop relies heavily on motor memory.
When entering my credentials on PC it almost feels that my fingers know the customer number instinctively by the physical pattern and rhythm on the keyboard.
But switching channels to the mobile app threw me by removing the preceding step and changing the visual design. It feels like there’s something learned in my brain meaning that without having to recall the first number, I am unable to recall the second.
Try for a moment: can you recall the last six digits of your phone number?
I bet you just reeled through the entire number first, before getting to it. Your memory retrieval process and sequence has been interrupted.
Motor memory is one of the more mysterious domains of memory. But, as one of the most durable, it raises an interesting question as to whether we should be consciously designing to harness our motor memory capacity more effectively, especially with the move towards more gesture controlled interfaces. Compared to other forms of mental workload (the human energy and attention used by the brain during mental work), motor memory also puts the lowest load on the user. They are the ‘least expensive’ to the brain, compared to cognitive loads and visual loads.
Contextual cues
What effect did my context have on my ability to retrieve my passcode? It almost felt as if my inability to remember was in part to do with the unfamiliar context in which I was entering the information.
I remember learning an age-old theory back in psychology class that memory recall is best when in the same context in which the memory was created. I’ve experienced this from sounds and smells - how powerful a certain piece of music or smell can be to take you back in time. But does this theory extend to digital experiences? Are you more likely to remember how to use a particular piece of software or application when in the same context in which you learnt it? And are their implications if designing systems which are heavily load-bearing on a user’s memory, but are used across various channels and contexts?
Distraction
A final factor in my memory lapse was the distracting situation in which I was using the app. On mobile, people are more likely to be multi-tasking, multi-screening, talking, distracted by their environment and the people around them. Users often assign only a portion of their cognitive capacity to the task at hand on mobile, they are not concentrating and the interface is only glance-able visually; with the physical interaction with their fingers and thumbs taking on some of the workload.
Tips for supporting memory through design
My frustrating password experience is unfortunately not an incident isolated to me. Through the design research we do at Foolproof, we’re often testing journeys which include the signup and log-on process and explore participants’ behaviours and experiences around managing their passwords. The large majority of users rely on using weak passwords, or use technology or notebooks to write these down.
What I extracted from this experience was a reminder to design holistically for all of the senses and to work with the human brain and memory systems not against them. This experience has taught me that to design to support memory, we should:
Provide cross channel consistency across core processes and learned behaviours:The classic usability heuristic of ‘consistency’ gains particular importance when designing cross channel experiences. However, siloed or the use of 3rd party design teams often means that the experience on each channel, even the credentials model, is being developed in isolation.
Design to support physical, as well as visual, pattern recognition:Thinking about the physical interactions as well as consistency in the on-screen UI is essential, especially for touch and gestural interfaces.
Provide flexibility and user control over learned information:Do not force overly restrictive credentials models on your users. Improve memorability by allowing flexibility in the format and including a reminder of the ‘rules’ enforced where possible. Where appropriate, provide workarounds which allow people to re-access the service immediately - particularly on mobile.