I laughed out loud when a friend of mine sent me this link on a study by Harvard and MIT on the effectiveness of sitekey. I really want to yell from the rooftops, “I told you so.” I’ve looked into that technology a dozen times, in a dozen different incarnations and each time I just shake my head. It’s just not effective. A) People don’t understand how it works and b) if the image doesn’t show up on the page, users don’t get that they are on a malicious website - at best they think Sitekey is just broken.
This we can file in the “users cannot be trained” category. You cannot expect users to know what a good site is verses a bad site. It doesn’t work (at least in 9 out of 10 people). I would have guessed slightly more people would have figured it out, but even if it were 7 out of 10 people, that’s barely worth wasting your time and money on - not to mention the bad press that comes from rolling out flawed security measures. No, it’s not up to the consumers to protect themselves. That’s OUR jobs. We need to take it out of the user’s hands and bring security to bear to protect them because as we can see, users cannot be trained to protect themselves.