Since it became possible to do banking over the Interwebs (at least with the Banks I’ve used), I’ve usually signed up to do so. At first it was because the Geek in me wanted to play with the new toy. Then it was because it was often easier than finding time to drive to a parking area close to the actual bank, then to a parking area further away that actually had free parking spaces, then wait in line for ages.
Nearly every Web Banking site I’ve used has had a different approach to how you log into it. They all have the same general Account Number/Password (or PIN) concept, but it’s been implemented in many different ways. I thought I’d go over the ones I’ve used, and pick them apart for fun.
Bank 1: Account Number and Password are Both Fields.
In this case, you enter the Account Number into a standard text field, and the Password/PIN into a standard password (obfuscated) field. Here they rely on the SSL (Secure Socket Layer – a technology that encrypts whatever is sent across the Interwebs) to provide security and hide the password/PIN as it’s transmitted to the bank.
From a usability point of view, this one is quite good. It’s the same login we see in just about every other website, so there’s nothing new to learn, and it’s not difficult to use.
From a security standpoint, it can fall foul of key-loggers and the like, since the encryption of the password only takes place across the link to the Bank. Also, if you’re a slow typist, then it gives a “shoulder surfer” more of a chance to catch your password. It usually allows the widest range of passwords, but if someone can key-log (or shoulder surf), then it doesn’t really matter how clever your password is.
Bank 2: Account Number Field and Alpha-Numeric On-screen Keyboard.
In this set-up there’s a standard text field in which you enter the Account Number. There’s also a field into which the password/PIN goes, but you can’t type into that directly. Instead there’s an on-screen Alpha-Numeric ‘keyboard’ that you use to enter the password/PIN; every click on that keyboard enters a character into the password field (which is still obfuscated in the standard password way). In all cases I’ve seen so far the keyboard normally has the numbers across the top, then two or three rows of letters, in alphabetical order.
One downside in usability here is that the keyboard is not in QWERTY format which means even touch typists will have to hunt a bit for each letter. The obvious answer to this objection is that “everyone” knows the alphabet but not everyone is a touch typist. However, I’d assert that “everyone” knows the alphabet as a single dimensional string of letters (‘A’, ‘B’, ‘C’, etc) while the keyboard is multiple rows (a two dimensional block of letters), so some hunting to at least find the right row is necessary. If hunting is going to be necessary anyway, why wouldn’t you make it at least easier on one group, rather than harder on both groups?
Please don’t mention DVORAK.
The other downside, at least for touch-typists, is it’s much faster to enter a password via the keyboard, than using the mouse to click each key individually.
From a security point of view this setup has the advantage that a key-logger won’t pick up the password presses. It’s also possible to have the keyboard send back something different to what’s displayed on each key. This means that the keyboard can be ‘random’ each session, making it harder to determine what the password/PIN really is. On the other hand, each button on the keyboard is in the same location each time, and again, even with a QWERTY keyboard, you have to move the mouse and click each button, meaning it’s shoulder surfer heaven!
The on screen keyboard also vastly restricts the choice of passwords since there are usually no special punctuation characters you can use, and the letters are usually one case (usually upper-case). This limitation isn’t limited to the on-screen keyboard implementation though, as some other systems that use standard password fields can reject passwords with punctuation in them.
Bank 3: Account Number Field and Randomly-Ordered On-screen Numeric Keypad.
This is very similar to Bank 2, except that the keypad contains only Numbers (ignoring such buttons as “Delete” or “Clear”, and the numbers are in a random order. So, for example, one login might get you a keypad that looks like this:
1 9 7 8 4 2 5 0 3 Del 6 Clear
While the next time you log in, you might get this:
3 2 0 9 6 5 1 4 8 Del 7 Clear
This has one obvious advantage for security, in that even if some kind of key-logger/mouse-logger remembers which buttons you clicked, it doesn’t matter as they will be different the next time. On the other hand, you are limited to digits, which both reduces the passwords you can have, and also means Yet-Another-Number to remember. We humans seem to have problems remembering just numbers. At least, I do.
My original “concern” when I first saw this was that you’d be hunting for the numbers, meaning a “shoulder surfer” had a better chance of working out your PIN. However, I’ve found that you can quickly ‘learn’ the new number layout, and use it almost as quickly as a regular keypad. I’m not sure if this is because we’re used to flipping between calculator style (starting with 789 on the top row) and phone style (starting with 123 on the top row), or if it’s because there are only 10 digits, and therefore the brain can easily remember the positions of those few numbers. Or perhaps I’m just strange.
Note though, that “as fast as a regular keypad” still means moving a mouse, and clicking, which makes it easier for someone looking over your shoulder.
Bank 4: Account Number Field and On-screen Moving Numeric Keypad.
If I were Jewish I’d probably say “Oy vay!” or something equally stereotypical. In this case the Account Number is entered via the standard text field. The PIN, on the other hand, is entered into a floating keypad that moves around the screen with every press of a key on it. There’s also the possibility of the numbers reordering themselves with each move.
Seriously. What the heck were the designers thinking? Yes, it makes it hard for anything to log what you ‘typed’. It also makes it very easy for shoulder surfers to work out your PIN, since not only do you have to search for the right number, but you also have to hunt for the damned keypad with each click!
I’ve only seen one system that did this, and it no longer does, so perhaps sanity prevailed, and the person who came up with the original idea is now on a deserted prison isle rethinking their life choices. I can hope.
Bank Hot-Pink Monkey Socks: Well How Would You Do It Then?
So, if I were designing a bank log-in screen, how would I do it? After all, it’s fun to pick on other designs, but harder to come up with a decent one yourself.
Before I start, I’m going to dismiss one of my objections above. The “shoulder surfer” problem is an issue with almost all entry methods, and if you have this problem, then you need to fix that before you even attempt to log-in anywhere.
So, having said that, I’d probably start by keeping the standard text field for account number entry. Why change something that seems to work, and is a “standard”?
The real trick is the password/PIN entry, and at this point you have to make the decision as to what to allow. The choices are:
- Upper and lower case letters, numbers, and a set of common punctuation symbols.
- Upper and lower case letters, and numbers.
- Upper (or lower) case letters, and numbers.
- Upper (or lower) case letters only.
- Numbers only.
- Pretty pictures
- Patterns of presses.
From 6 onwards I’ve drifted a little from what we’ve already talked about. One Bank briefly introduced what was known as “Factor 2”. The idea was that you logged in as usual, but if you were doing anything like transferring a large amount of money away from your account, then it presented you with a grid of pictures. You’d earlier chosen three pictures in a specific order and to “pass” the Factor 2 test, you had to click the correct pictures in the correct order from amongst the otherwise randomly chosen, and ordered, pictures.
So we’re not limited to just traditional letters or digits. Or even any kind of strict order of input. If you have the password of “Password”, for example, then go and change it now. If you haven’t listened to me, then you’d be used to entering the word “Password” by pressing “SHIFT-p” then “a”, then “s” followed by “sword” . Each letter is entered in strict order – because that’s how words work. PINs work in just the same way. If you have the PIN “1234” then you’ve been watching too much Spaceballs, but you’d also enter it “1” followed by “2”, then “3”, and finally “4”. “4123” is a completely different PIN. But it doesn’t have to be – that’s just convention. Also, this convention makes the amount of possible PIN numbers larger, and more difficult to guess.
Factor 2 was a good attempt at something new. Experimentation like that may one day come up with better ways to enter security information. Better, in this case, meaning both “easier for the user” and “more secure”.
There are also other methods, for example ‘Biometrics’ that can read things such as fingerprints in attempt to prove you are who you say you are. Most of these methods rely on extra equipment, and expense, and simply aren’t common enough to use for Online Banking. So I’m going to conveniently ignore them.
All this is leading up to me saying that Bank Hot-Pink Monkey Socks will use some kind of password/PIN entry. This is mainly because people know and accept the concept already. One problem any new concept has is getting people to accept it, and I’d prefer people to use my web interface rather than bothering my human tellers!
Much as I like the ‘random numeric keypad’ idea, I think I’d stick with the on-screen alpha-numeric keyboard. However, I think I’d either make it QWERTY, or configurable. I might even give the option to put the numeric keypad to one side as well as across the top.
So, would you like to bank with Hot-Pink Monkey Socks?