myPay (https://mypay.dfas.mil/mypay.aspx) is a service of the Defense Finance and Accounting Service. This service is relevant to civilians because they can log in and view their pay stubs. Security is important, and the Account Access section is built for security. From the website:

To better protect your myPay PIN, DFAS has installed a VIRTUAL KEYBOARD for you to enter your myPay PIN. This keyboard reduces threats from malicious software (e.g. spyware, keyloggers, etc.). The virtual keyboard displays the keys in random order and requires you to click on the appropriate key with your mouse. To learn more about this feature, see our Security FAQs.

And here is what the Account Access component looks like:

So, since this blog focuses on human factors, let’s look at the usability of this system. First off, the virtual keyboard for the PIN is a giant pain in the butt. Having to visually search through a row of ten numbers placed randomly and then having to click on them is time consuming and effortful.

There are several issues that stem from this. Your PIN, or Personal Identification Number, apparently can contain letters. This is evident from the letter keys in the virtual keyboard (which, of course, makes the visual search and clicking even more difficult than before). If the website is designed for security, the PIN should be renamed PASSWORD, which people understand contains more than just a series of numbers. PIN implies 4 digits, sometimes more. So even if the virtual keyboard is designed to secure your PIN, the fact that most people would use a string of numbers is not secure.

Secondly, the virtual keyboard that requires you to click on the buttons is designed to guard against keyloggers, which is software designed to capture your keystrokes and send them somewhere so that your passwords, credit card numbers, etc. can be stolen. However, if the site is so concerned about keyloggers, why is the virtual keyboard ONLY active for the PIN? You do not even have the option of using the virtual keyboard for your LoginID – you must use the regular keyboard and open yourself to the possibility of keylogging software on your computer.

Even worse is the fact that your LoginID starts off as your social security number – the whole nine-digit number that citizens are supposed to keep incredibly private. You can change it to a regular username, but nothing more than eight letters. So this highly secure website either opens up your social security number to keyloggers or restricts you to an eight-character LoginID.

So here is my big issue with this. Security measures are oftentimes a human factors nightmare (for example, those scrambled letter CAPTCHAs you have to decipher before signing up for a website). However, they must be fully implemented for maximum security – no compromises. And this site is nothing but compromises. A virtual keyboard that only works for the PIN and not the username, a password that encourages using a short string of only numbers, and a LoginID that is either one of your most important personal identifiers or else a too-short character string that must be typed on the keyboard.

This site fails at Human Factors because it tries to be convenient while still being secure, and in the end, it fails at both. This is not to say security and usability are mutually exclusive, but the designers of the myPay site managed to achieve this goal.