ONLINE PAYMENT : Security Vs Human factors

Along with the online payment services comes the deep responsibility of safe and secure user data. There have been many solutions brought in to thicken that wall of security. Many times I have noticed such acts of security compromising over users experience.It's based upon this notion of people that “ you can suffer a little if you want it safe”. I completely differ in this notion as I believe that user experience and security must go hand in hand. A service designed to be more secure should handle that by itself without asking for more effort from users. I have considered two such services which I believe has an apparent void concerning user experience.

1. Security questions

2. One time passwords

SECURITY QUESTION : The past and the present

What is a security question? During the configuration of a transactional system, users will be asked to

• Select few question from a group and set answers to it  

• Provide their own questions and answers

Later during the transaction user will be asked to provide the respective answers to those questions thereby validating that transaction. This approach looks reasonable from that perspective. But from human factors POV, this service rely completely upon a particular behavior which is human cognition. Within the human cognition, it is the memory which takes the burden of ‘ having to remember ‘. It is the past and present state of your memory. 

Configuring an online transaction

Once a question is selected, the user has to configure an answer for that. The term  'configure' is used in order to address  these facts 

• The data given by the user will not be validated against question selected. It can be anything within the given character limit

Once configured both these question and answer pair up and form a single entity. From then it will act as a secret key for all the transactions. 

What system stores as a reference to that user are the key which is the combination of question and answer given by the user. Later during a transaction to validate that use,r system needs that “ Exact data “ user has set before. 

How can a user provide that Exact data ?

These are the three cognitive process involved in that part of the transaction. 

read-under-retrread-under-retr

READ  

For you to read the question clearly, you need attention without any distractions. Other than some supporting information, any other data in that interface can add to a distraction. The presence of competing for sensory input in the same modality can significantly impede the retention of information in an accessible state. 

UNDERSTAND    

Understanding is all about the way you perceive that data (question). The user should be able to perceive it the same way he did while configuring. So it's about the language. The language should be direct, sharp and simple structured so that it will always sound the same. Next is about the content. It should not create ambiguity among user.  

RETRIEVE 

The moment you understand the available content ( question ) the related content( answer ) should already be activated in your memory. That should be a recognition rather than a recall. If you are putting an extra effort to retrieve this content, then there are equal chances for you to fail in that depending on the strength of its association. 

   

For you to recognize fast you need to have a strong and direct association with the question and answer in your memory. It doesn't need to be associated with the service always. 

To make it strong, it should either be a very valuable information to you or an information which is continuously rehearsed in your daily life. You should be able to retrieve that data irrespective of the service context. That means the question alone will be enough for you to remember the answer. If you are associating the question and an answer to the service, it will lead to a weak association.That's because  

  • It's a fake or an indirect answer you have set for the service alone
  • Because of its irrelevant nature, it won’t be rehearsed in your daily life keeping the association weak. 
  • The transaction should happen continuously to activate it and make its association strong.

In this case, the retrieval of the answer will always be dependent on the context which comprises of service and question. That means if you are setting an answer for the sake of that service alone, it's again another password your are setting which needs your conscious effort to retrieve.There is high chance for you to forget it unless you repeatedly do it. 

How to make that data secure?

The role of security is to minimize the relative amount of unauthorized use. It can be achieved if this strong association is limited to the relevant user alone. Data with such strong association will be mostly personal information which can be easily guessed or cracked by others. The best case for secured information

  1. A strong association
  2. Not guessed/cracked by others

For a particular user, there will be only a few such information which complies to both. It changes from user to user, so it will be difficult for a third party service to address it correctly. Data with the weak association will be mostly information which will be difficult to remember.This creates a tendency in users to keep it in a more accessible state than their memory. This can be medium like pepper, notes, stickies, digital spaces, etc. The vast majority of security breaks come from intruders (or insiders) who exposes such human weakness, not those who run code-breaking algorithms.

ONE TIME PASSWORD

While configuring online transaction user will be asked to provide his personal mobile number. Once provided this will be considered as an authentication device for that user. After that every time a transaction happens an authentication code will be sent to this respective number. The user will have to provide that number to complete the transaction. 

Pro : 

  1. No need to remember any data.

Cons :  

  1. The human effort to read and cache the number temporarily.
  2. Depends on the accessibility of your device.
  3. Depends on device network range.
  4. Waiting for the message, not predictable. 

There are two scenarios based on the application and device. 

  1. the application is residing in the same authentication device.
  2. the application is residing on a different device. 

Type 1 happens for the majority of the scenarios.The user has to provide that data to the application to validate his access thereby enabling that transaction.Human interventions needed here is Read, Cache, and Type.

  1. The user has to read it from the received message, cache it in his working memory, retrieve it and type in transaction space.
  2. Any other distraction can affect this process badly.

The aim of the application is to check if the engaging user has access to the device.If it can self-authenticate on receiving the authentication data the following issues will be solved. 

  1. User intervention is not needed thereby reducing user effort
  2. Chances of human errors and mistakes avoided.
  3. No need of a separate authentication code
  4. validation will happen internally. 
  5. Reduces time

Type two happens when the user is on another device such as a laptop or another mobile. These are the following limitations in this case. 

  1. The authentication device should have access to the incoming data
    1. It should be active 
    2. It should have enough network signal
  2. The engaging user should have access to the authenticating device at a time.
    1. He should be able to access the device 
    2. he should be able to access the data in the device 
  3. The user should switch back and enter the obtained information in the application interface.
  4. The above three should happen within the stipulated time frame defined by the application.