Army Knowledge Online (AKO) is the Army’s online portal; authorized users are able to access information about their service and communicate with others. It really is a great resource for Soldiers, retired personnel, and DA Civilians. There, however, is a problem with it that bothers me.
Those who make the decisions regarding AKO’s security policies are, in my view, PHB’s (Pointy-Haired Boss) who are more concerned about the security of the network than making it usable by users. Don’t get me wrong – security is extremely important and I don’t begrudge the attempt to keep the users’ information safe; there is, however, a line between security and usability. AKO has crossed that line.
Some of AKO’s [reasonable] security policies are: forcing users to change their passwords every 150 days, requiring the use of a Common Access Card (CAC) to change the password, and encouraging users to log in with their CACs. For several years, there has been an acceptable balance between the Army’s need to keep AKO secure and the users’ need to be able to access the site easily. Then last year, AKO began implementing what it calls Knowledge-Based Authentication (KBA).
The concept of KBA is familiar to users of online banking: users are asked to provided personal answers to a few questions; these answers are presumably known only to the user. In commercial websites, this is implemented in an intelligent manner and allows the user to be able to do so without difficulty. AKO’s version, however, is difficult to use. They require users to choose and answer fifteen (out of twenty) pre-selected questions, and they provide possible answers to pick from. Yes, there is also an option to type in your own answer, but then you cannot re-use that answer and it’s case-sensitive (just like a password). These questions may or may not have any bearing on a user’s life, or may legitimately have multiple answers (you can only pick one). Such questions range from asking about favorite activities or sports teams to things someone may no longer remember. And yes, users are expected to answer all fifteen and to remember how they answered. Unless you’ve experienced the disaster which is KBA, you cannot understand how terrible an implementation it truly is.
There is a way to avoid having to deal with KBA: always use your CAC to log into AKO (unfortunately, most retirees will not have this option). AKO makes no secret that KBA is a way to force people to use their CACs — the site explicitly states that users can avoid having to use KBA by doing so. If you’re an AKO user that doesn’t use the CAC login option, you may as well start because the day will come when the password option is removed. The AKO bosses won’t care either – the terrible new layout is proof (a possible future post) that they don’t care about usability at all.
The AKO admins care only for the newest shiny object and not for those who use AKO. Harbor no illusions about that fact.