There’s security, and then there’s stupidity.
We’re all familiar by now with the security pattern where you set up 2-3 questions that “only you” will know the answer to (well, only you and people who know you really well, anyway) in addition to your username and password. It essentially sets up a two-password system. If you can’t answer the first password (your security question’s answer) you never get to the second password, thus securing it.
Or something.
I have a lot of problems with that security pattern, which I won’t get into here, because this post isn’t about the security, it’s about the stupidity. It’s security when you ask me to set up a double-password system. Since it’s critical information, it’s good design and good sense to ask me to review the information before I submit it, and print it for my records. One password is hard enough to remember, but this pattern essentially asks me to set up three.
It’s stupidity when you decide that your security policies need to be strong that when you ask me to review my information for accuracy, you obscure the answers to my questions.
And yet… that’s what we have here.
I’m willing to guess that the vast majority of people are not dumb enough to fill out a registration form for a medical billing website on the Jumbotron of their local stadium, or anywhere else that would allow a significant number of people to view the process. So why make that registration even harder by blocking the review of critical account-access-granting information? It’s security absurdity.
