Well, it took them a while but Bank of America is finally saying 'bye-bye' to a particularly ineffective form of online security called 'SiteKey'. Probably better known as a 'security image', the idea was to assign you an image which you were then expected to remember every time you logged in. Yeah, good luck with that.
There actually was research on this. Not surprisingly, researchers found that "users will enter their passwords even if their site-authentication images are absent." Brad Stone summarizing the results in the New York Times put it this way, "Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns."
Of course that was 2007 or more than eight years ago. The NYT article concludes with a comment from one of the original researchers, "sometimes the appearance of security is more important than security itself.”
I'd only add that all too often, the mere mention of 'security' is expected to triumph over everything including common sense. The truth of course is that everything deserves a healthy measure of skepticism.
