Designing a password/authentication system usable for young children in a classroom
We are all familiar with the best password practices for websites which will be used by adults, such as storing passwords in one-way hashes, using password resets instead of emailing password, etc. But has there been any usability study regarding authentication systems in a classroom setting with young children? I wasn't able to find one with a quick search, but maybe I just don't know where to look.
The following are some considerations that need to be taken into account:
- It is commonly known that children forgot their password, especially younger ones. Is there any evidence that children forget their password more often than adults? How often do children forget their password?
- Usability is just as important as security. If a classroom is delayed because of password issues, then the system has failed. However, we do not want to be teaching children bad password practices either.
- We want to avoid burdening both teachers and students with a vicious cycle of children who keep forgetting their password because the teacher had to keep resetting it every week. This makes it tempting to save the password in plain-text/reversible encryption so teachers can just tell students their previous password instead of changing it, but is this really worth it?
- The site is used in a school setting, so when in a classroom, there will always be a teacher available to reset students' passwords as necessary. However, sometimes the student may need to access the site from their home computer.
- Not all children own an email address. While most public schools in our state provide students with school addresses, many private schools don't. Therefore, an over-the-shoulder password reset is necessary. For the same reason, SSO isn't always available.
- Presumably pranking another student's work will happen if everyone knows everyone else's password.
- Presumably there will be some teacher that will think about setting everyone's password to the same value.
- Presumably children wouldn't yet be reusing passwords with their banking account (because most wouldn't have a bank account yet); but fifteen years from now, some of them may keep using the same password since they don't want to learn a new password (I personally know some people that do this).
- Should the password input be masked? Many children may still be learning to type, so a masked password may present a usability problem. Is this a real concern?
- Presumably best practice varies depending on the age of the children. My concern at the moment would be for primary school aged children.
- Should the system or teachers assign students their password or should students pick their own password? Should the teacher know the students' passwords? Would it not be sufficient that teachers can reset the students' passwords?
Has there been any study done in this area?