Earlier today, while online shopping, I was reminded of how the web experience has not improved usability-wise or security-wise since Netscape Navigator 1.0, circa 1995. I say reminded, because I’ve asserted this for years. I say devolved, because I can mathematically prove it with my patent pending HCI-SEC “Not Yet Peer Reviewed But Surely Correct” Formula (TM), as I do at the end of this litany. (For the record, I was not shopping at Amazon.com where I spent seven years and still shop with gusto.)

Below is my 22-step shopping, bordering on stopping, experience. As Criss Angel says, don’t try this at home, I’m a highly trained professional.

1. Added two identical items to merchant’s shopping basket
2. Entered the checkout process, anticipating 45 seconds to my next work task
3. Discovered that PayPal payment was required
4. Opened a new window to PayPal. Opened Keychain Access. Entered lengthy, not-so-random Keychain password. Dug out lengthy, random Paypal password
5. Failed PayPal login, presumably due to a previous cut-and-paste erro [sic]
6. Went through PayPal “I forgot my password,” creating a new random one, making it longer for good measure. Carefully saved it back into Keychain Access
7. Discovered I needed my PayPal security token. Found it in the last place I looked. Weird
8. Discovered I had never completed my now 9-months old PayPal “expanded use” configuration, so I could purchase with my credit card rather than my checking account. Learned it’s documented on a 9-months old statement. Realized I almost never use PayPal
9. Opened a new window to my issuing bank’s site. Dug my lengthy, random password out of Keychain Access. Used the wrong password (I have two accounts) the first time. Got logged in
10. Located my 9-month old statement, praising the gods of Internet Accessibility that it was still online, unlike unrelated statements I need at a different financial institution. Located my expanded use code next to the $1.95 PayPal charge
11. Returned to PayPal window. Login timed out
12. Dug PayPal password out of Keychain Access. Got logged in
13. Got distracted by an unnamed family member who confuses “do not enter” sign with “please enter and ask me what I want for dinner”
14. Returned to PayPal window. Login timed out
15. Returned to Keychain Access. Login timed out there too. Re-entered Keychain password
16. Dug PayPal password of Keychain Access. Got logged in. Fought temptation to “upgrade” all passwords to one character
17. Finished PayPal’s expanded use configuration. Traction!
18. Returned to window with merchant’s shopping basket. Unintentionally hit “back” button which nullified my shipping and billing information
19. Re-entered the checkout process. Halfway through realized the quantity said “1″ not “2″ which required me to re-re-enter the checkout process. Started questioning how badly I need these items
20. Discovered I needed to re-authenticate to PayPal within the merchant’s checkout process
21. Dug PayPal password out of Keychain Access
22. Completed my order!

On a scale of 1 to 10, 1 being X11 and 10 being my patent pending Autonomic Inhalation Ordering System (TM), I’d give this experience a usability score of 2 (because I actually completed the order) and a security score of maybe 5 (because I don’t believe I have a Russian mafia keylogger installed).

According to my aforementioned HCI-SEC Formula, 2 plus 5 equals 7, assuming of course we don’t do the Olympic thing and throw out low and high scores (tempting as that is in this case). That equates to 35% which, unless one of my graduate school professors is grading on their infamous curves, is an F.

Now turn back the clock to 1995. In those days, SSL was shiny new, and “shopping basket” was synonymous with “monolithic three-page form submit.” From both usability and security usability perspectives, given that these defined state of the art, I’d have had to give each something close to a 9. Even my retired professors would call that at least a B.

B. F. QED