[IxDA Discuss] Security on the web: how far do we go?

Katie Albers katie at firstthought.com
Fri Mar 7 14:38:49 PST 2008 

Well, ignoring the account blockage question for the moment: There 
are exactly zero situations in which it's acceptable for a company to 
dictate usernames and/or passwords for their employees on external 
web sites. If you put your employees in a situation where the only 
way they can reliably recall their necessary usernames and passwords 
is by writing them down, they will write them down...and so much for 
the security angle.

As far as the account blockage question, that may be acceptable in 
certain situations, but only if there is immediately available 24/7 
human backup at a toll-free number...and by that, I mean toll-free 
where the employee is standing. Far too many companies still hold the 
bizarre belief that "We have an 800 number,..." is an adequate 
response to the need for a worldwide toll-free assistance...which 
means that the assistance isn't available outside the US and Canada.

Waving your hands and applying the maximum number of mysterious, hard 
to remember, magic words is not the same thing as providing security, 
and that's what is happening in a situation like your girlfriend's.

So, my solution to these cases in general is to combine a 
user-selected username, a user-selected password, and 24 hour free 
access to help. It isn't perfect, but it has a much higher chance of 
working to everyone's benefit than this system has.

Katie


At 12:02 AM +0200 3/8/08, Sebi Tauciuc wrote:
>My girlfriend is on a business trip in another country, and she was trying
>to book herself a plane ticket back (her stay was longer than expected). She
>tried to login to the travel company's web site, but she wasn't sure about
>the username (picked by her company) and password (she has several), so she
>failed the login 3 times. Without any notice, her account was blocked and
>she was told to contact the admin/support tu unblock it. I don't know if
>they have customer support available in weekends, but anyway now there is a
>good chance she may have to book a later flight and spend another night or
>two in the hotel. And it all happened in a few seconds.
>Maybe this isn't a very common case, but still I was wondering: couldn't
>such situations be avoided? Is security a good enough justification to block
>a customer's account? How far should we go?
>
>Sebi
>--
>Sergiu Sebastian Tauciuc
>http://www.sergiutauciuc.ro/en/
>________________________________________________________________
>Welcome to the Interaction Design Association (IxDA)!
>To post to this list ....... discuss at ixda.org
>Unsubscribe ................ http://www.ixda.org/unsubscribe
>List Guidelines ............ http://www.ixda.org/guidelines
>List Help .................. http://www.ixda.org/help


-- 

----------------
Katie Albers
katie at firstthought.com

More information about the Discuss mailing list