Security Question Best Practices

UX RANT — Starwood Hotel Security Questions

Steven Brykman | December 16, 2016 | Mobile Strategy

We here at Propelics have been so busy providing our clients with the best mobile apps, prototypes, and strategies money can buy, it’s been awhile since I’ve had a moment to pen a good UX Rant. But then suddenly, in the midst of the holiday season—a Christmas miracle! A shining star! A subject so errant in its ways, it demanded my immediate attention.

Ladies and gentlemen, I bring you…
The Starwood Hotel’s Preferred Guest Security Questions.

At first glance I wasn’t sure why the Starwood Preferred Guest program would even feel a 4-question level of security was justified (on top of username & password). But the more I deconstructed the list, the more apparent their true motives became. And sadly, they have little to do with security.

Let’s unpack them one at a time:

Security Question Best Practices

“What is your favorite Starwood hotel?”
First off, don’t combine marketing with security. If you’re going to be serious about security than be serious about security. Besides which, who could remember such a thing? And did I use the name of the hotel or did I use its location? Strike one.

“What is your favorite vacation destination?”
Another terrible question. What if your answer changed since setting up the account 3 years ago? Will you still remember that your favorite vacation destination used to be Tahiti, then it was Bermuda, and now it’s Honolulu? Let me see…was it Bermuda or was it Tahiti? The point is people change. Donald Trump used to be a Democrat. Today, he’s a Republican. Next year, who knows?

“Where did you go on your first flight?”
Better. At least this one has a definitive answer that will not change over time, though some ambiguity remains: I went to Los Angeles but I flew into Long Beach. Would I have put Long Beach or Los Angeles? Or did I put LGB, the abbreviation for Long Beach Airport? And did I put Los Angeles: two words or LosAngeles: one word? Or did I connect them with a _?

“Where did you travel on your honeymoon?”
Not as good. Again, what if you’re like Donald Trump and you’ve had multiple marriages (3 to be exact)? Multiple marriages = multiple honeymoons = multiple honeymoon destinations. Unless he got some kind of bulk travel deal on a single location, that is…dude is pretty crafty that way.

“What is your preferred airline?”
I guess this one’s fine, though, again, personal preferences are vague, hard to remember, and have a tendency to change. Also, most people I know hate all airlines so this really wouldn’t apply. Maybe a better question would be: “Which airline do you despise the least?” I guess that’d be Jet Blue? But then one time I flew American and the seats were nicer. They had those bendy headrests…

“What is your preferred luggage brand?”
Seriously? This one just makes me feel bad about myself. I don’t have a preferred luggage brand! I couldn’t even name a luggage brand if you asked me to!! What kind of a traveler am I? This is more evidence of a marketing/security mixup. They’re going for travel-related questions: airlines, destinations, hotels. Don’t do it, Starwood! Because consider this: how can you get users excited about traveling if they can’t even access their account?

“What language would you most like to learn?”
Why? Are you offering lessons? (they probably are) Another hard-to-remember personal preference question. Because as before, the answer is not ‘what language would you most like to learn now?’ The answer is ‘what language would you most like to have learned when you created your account.’ It’s not a cold hard fact like: “What street did you live on in the 3rd grade?” Which didn’t even make the list.

“What is your favorite type of food?”
Not favorite food, mind you. Favorite TYPE of food. Um, so I guess I would’ve said “lobster ravioli” but that’s not a type. So maybe lobster? No, that’s not it. Seafood! Now, did I put “seafood”? Or did I put “sea food”? Hold up. Lobster ravioli also means ravioli, which counts as pasta. Maybe I put pasta?

goldcountrylogo“What is your favorite country to visit?”
Okay guys, I get it. You want me to think about traveling! Enough already. There’s only one country I love to visit. And that’s Gold Country!

“What is your favorite city in the world to visit?”
Did they even double-check these? How is this any different from my favorite vacation destination or my favorite country? Let’s see…I love Geneva, but the rest of Switzerland is a dump! See what’s happening here?

“What is your favorite island in the world?”
Does everybody really have a favorite island? Or just Mitt Romney (the answer being “The Cayman Islands”). Regardless, it’s a sure bet nobody ever put this island.

“What is your favorite place to ski?”
Blatantly anti-Semitic. Jews don’t ski.

“What is your favorite landmark?”
Does ‘J-U-M-B-O-S-C-L-O-W-N-R-O-O-M’ have an apostrophe or no?

“What is the location of your favorite family photo?”
This question suffers from a vague antecedent (on top of being generally ridiculous). Is this asking about my favorite family or my favorite photo? What if I remarried and have more than one family? More importantly, do people really have a favorite photo of their family? Wouldn’t that be whichever one you were the most drunk in?

Security Question Best Practices“What is your most prized passport stamp?”
This one is extra weird. We’ve already covered favorite city, favorite island, and favorite vacation destination. Now I’m supposed to have a favorite stamp? Well, let’s see…I loved Ukraine, but the passport stamp was a real stinker!

“What is your favorite spa?”
If you’re anything like me, and have three young kids at home, any spa is your favorite spa! Whatever spa I’m at right now, that one right there is my favorite. So long as my children aren’t with me.

“What is your first Starwood hotel visited?”
See question one.

“What is your favorite item to order from room service?”
There are a number of ways I could get myself in trouble with my employer by answering this question so I will do the prudent thing and abstain from comedy in this instance.

“What is your favorite museum or attraction in the world?”
This one is especially problematic. How is the user to remember whether or not they answered with a favorite museum or a favorite attraction? Never, I repeat, never pull this sort of nonsense in your security questions!

“What was the last name of your favorite teacher?”
Okay. This one’s not bad. Except I have like at least 3 favorite teachers. I’m assuming most people do. How am I supposed to remember which one I put down when I created my security preferences!?

“In what city or town was your first job?”
Finally! An acceptable question—one with a definite answer that should be easy to remember and spell. Was that so difficult? Point Starbucks. I mean Starfruit. I mean Starwood.

Security Question Best Practices“What was the name of your first pet?”
Another not-horrible question. You’re on a roll, Starwood! Unless, like me, you were allergic to all fur-bearing creatures as a child and had to settle for a plastic jug full of Sea Monkeys (aka brine shrimp) that three days later your autistic brother flushed down the toilet. And rightly so. Those things were gross.

“What did you want to be when you grew up?”
Weird tense-usage aside, this is a terrible question for one simple reason. Can you guess what it is? Exactly. People can guess what it is! Astronaut. Ninja. Superhero. Policeman (or woman). Firefighter. Ballerina. Nobody ever says, Accountant. Lawyer. Project Manager. And if the hackers (or the robots) can’t guess it, they can Google it.

“What is the name of your childhood best friend?”
Again, not bad. But like the favorite teacher question, I had like 3 best friends. Make that 5, depending on what age we’re talking. But even a seemingly innocuous thing like asking for “the name”—and not specifying first or last name—is ambiguous and could lead to user frustration. Let’s see…did I put her first name? Her last name? Both names? Both names as one word? I’m guessing this one got cut & pasted in from another website, based upon the tense variation (is, not was) and the unspecific nature of the request.

“What is your favorite airport?”
Who the hell has a favorite airport? Doesn’t everybody hate ALL airports?? Okay, the one at Long Beach is kind of nice but that’s just because it’s tiny and mostly outside. O’Hare. That’s my favorite. Now did I put O’Hare or did I put Ohare or did I put ORD!? Confound you, poorly conceived security question!!!

“What tops your travel wish list?”
I take it back. This is the worst possible security question ever. I thought the museum/attraction question was bad, but this one takes the cake. Not only is it incredibly vague (is it asking for a place, an activity, a food?), it doesn’t even seem like it can be answered in a word or two. It’s basically an essay question!

Look. We’ve had a lot of fun here. But the point is, as serious as Starwood Hotels wants us to think they are about security, the actual questions don’t reflect this. Rather, they display an obsession with marketing and a flippant attitude towards security that can only result in user-frustration. It’s as if some over-ambitious marketing exec was like, “Hey, wouldn’t it be fun if all the security questions revolved around vacations and hotels and so forth? How clever would that be? It would be an extension of our brand!”

But here’s the thing. Security questions aren’t meant to be fun. They aren’t meant to reinforce your brand. They are meant to be a pain in the ass. Period. They are simply there to keep people (and robots) from accessing your account. So don’t horse around. Keep the questions simple. And be sure each one has a definitive, easy-to-remember, factual answer. Preferably the answers should be a single word, but not one that’s easy for a robot to guess (e.g. What was your first brand of car?). Yes, these questions are all speed-bumps that increase user-friction. This is exactly what they’re meant to be. There is no cutesy workaround, so get over it.

Starwood Hotels, you are officially on notice. We strongly suggest you contact Propelics ASAP to schedule a complimentary 30 minute call with our Strategists to help reform your security process and bring it up to speed with current best practices.

Steven Brykman

Steven is a Digital Strategist and UX Architect focusing on Mobile Products with a diverse background in writing and literature. He spent much of the last decade as Creative Technologist/Lead Strategist of his own design company, helping Fortune 500 companies define the direction of their digital campaigns, websites and mobile applications. Additionally, he co-founded Apperian, a Boston-based mobile technology startup.

More Posts

Follow Me:
TwitterLinkedIn