LinkedOut

I admit I'm pretty bad about keeping my LinkedIn account up-to-date, even though I've heard it's what you're supposed to do to make yourself more marketable. It's just that lately I've been feeling pretty guilty about all the unanswered endorsements showing up in my email. So today I finally decided to fire up my browser and hit the LinkedIn website to "return the favor".

Turns out I couldn't recall my LinkedIn password nor had I recorded it in LastPass. I figured I must have used one of my reusable passwords (gasp!). So I attempted to log in with one of those:

nyob is not my email address of course

After pressing the Sign In button I saw the following:

The hated captcha

A bit of a shock. There is now a CAPTCHA (I'm going to use lower case from now on so it doesn't seem like I'm shouting) step as part of the login sequence. Later I discovered that LinkedIn added this step when they detect logins from a different device, i.e. no LinkedIn cookie detected.

Of course I had to refresh the first captcha as I couldn't tell what the numbers were in the photo portion of the captcha (can you?).

After three refreshes I found a captcha that seemed legible, which of course I mistyped; however I did succeed on my next attempt.

After clicking Continue I saw the following:

Fail

You can't be serious. I had just spent an anxious minute fiddling with captcha, only to discover that my credentials were invalid. To make matters worse, I had several reusable passwords that I needed to try, which forced me to have to repeat the captcha stage with each failed attempt.

This poor design resulted in a poor user experience. If the designer's goal was to provide a means of preventing bots from performing repeated login attempts, then why not wait until after two or three failed attempts before presenting the user with the dreaded captcha? At least that way you don't inconvenience the user who may have fat-fingered their password or needed one or two tries to get it right. Furthermore, asking for a captcha post authentication (meaning after a successful login) is beyond ludicrous. It does NOTHING to improve security and only serves to annoys legitimate users. If the designers want to improve security for logins from unrecognized devices they should consider using two-factor authentication or some other means of verifying that the authenticated user is the legitimate account holder. Throwing up a captcha after a successful login does nothing to improve the security for an authorized user, and only mitigates the effect of authorized users scripting malicious events post logon.

The current behavior penalizes legit users

As designers, we should never sacrifice usability to appease the security gods. Instead we should look at alternate solutions or designs that accomplish the organization's security goals while providing a great user experience.