Week 11: Password Resetting

Welcome to week 11 of UX Design Roundup where we will be comparing how two banks handle resetting passwords.  Since this user experience deals with sensitive matters, I will be referring to our two contenders as Bank A and Bank B.  If you're wondering what happened to Week 1, it was testing the prototype for a meat-based diving suit in shark-infested waters.  Something about that seemed risky to me, but it seemed confident…

Bank A

Like most banks or high-security businesses, this bank requires its users to change their passwords periodically by putting an expiration date on them.  In an increasingly digital world, it's also common practice for users to use a handful of different passwords that each have multiple versions.  Bank A understands this and does not allow a user to re-use their last three passwords.  Invariably, a user is going to forget a password though, and will need to reset it.

Bank A first asks for a username or email address to figure out the password they need to update.  Once that is provided, they ask the user to verify a code (that is small and easy to remember) sent to either the email address or the phone number associated with the account to make sure it is really them.  Once that is done, they double-check by challenging the user with a security question.  If the user passes both of these tests, the bank then asks for the new password they wish to use.  When the user hits submit, they are logged into their account to do whatever it is they came to do.

Bank B

This bank follows the same basic patterns but manages to mishandle a few steps that cause a colossal amount of aggravation in the process.  First, instead of not allowing the last three passwords, they don't allow the user to use any previous passwords.  That's annoying, but we will loop back to the real pain point there in a minute.

If you need to reset a password, Bank B sends you a temporary password instead of a verification code like Bank A does.  Instead of a short, easy-to-remember code, you get a large-ish string of characters and numbers with varying cases.  You then need to provide this temporary password for verification which can be tricky, but not too bad.  You are then asked to verify your computer, even if you have used the same one a hundred times before.  To do that, you have to enter in a short, easy-to-remember code that they either text or email to you.  After that, you are challenged with a security question and probably quite irritated.

Finally, you are asked to change your password.  What is the first thing you need to do to accomplish that?  Enter in your old password of course!  The first time you encounter this, it's probably enough to send you into a rage before it clicks they sent you a temporary password.  Of course, that was not the last text message you got from them, and have to scroll back to find the not-easy-to-remember password they sent you.  You know, the one you already gave them.  Finally, you just need to pick a new password and you're good to go.  Except you can't use any password you have ever used before, which means you will quickly need to use an uncommon variant of one of your regular ones or come up with a brand new one.  Either way, it's almost guaranteed you won't remember it next time and have to repeat this entire cycle again.

Conclusion

Resetting your password shouldn't be too easy for security concerns, but that is no excuse for making the process as painful as possible.  Bank A understands this and has made sure their process is secure but as efficient as possible.  Bank B on the other hand not only asks you to do the same things repeatedly for no reason but also takes actions that ensure you'll have to endure the paint as often as possible.  Be sure to join us again next week for the final round of UX Design Roundup!