How good UX leads to great security
Most security systems are comprised of two fundamental pillars:
- Identification — claiming you are someone specific. This is analogous to entering an email or username.
- Authentication — proving you are who you say you are. A common example of this is entering a password or scanning your fingerprint.
As a product designer, you want your users to identify and authenticate securely while maximizing their usage and enjoyment of the product. This may seem clear-cut, but more often than not it involves tough compromises.
Security flows are one of the most despised elements of user experience. Think about it. Logging in to a product is not exactly fun.
I think the best way to view security user flows is through a pain-reward lens. Reducing pain and increasing rewards is not a novel concept in UX, but here it takes on a special importance because it can lead to better security for your users. Let’s discuss how.
What not to do
Before we get into best practices, I want to call out an unfortunate security UX pattern used in some products to encourage users to take action: fear.
As the thinking goes, users are at risk if they don’t complete the requisite security procedures, so if the risk is made crystal clear they’ll be more motivated. After all, it’s in their own best interest.
Unfortunately, this line of reasoning is actually counterproductive. It reflects an “ends justify the means” mentality which tends to be quite shortsighted and damaging in the long term.
As an old Jedi master once said, “Fear leads to anger. Anger leads to hate. Hate leads to suffering.”
Fear operates deep within the most primitive parts of the brain, triggering an instinctual fight or flight response. When in this situation, the brain short-circuits rational thinking. It also causes the brain to perceive events as negative and remember them that way.
Putting your users into this state of mind won’t exactly help you to build strong, lasting relationships. It will only lead to frustration, churn, or even worse—human error which can cost users their security.
So avoid using fear as a tactic. There are much better ways to motivate your users.
Usability is king
The simplest and probably most important piece of advice is to make your security flows easy to use. Jared Spool said it best when he summarized a key principle of security: “If it’s not usable, it’s not secure.”
A classic example of a security measure that’s both hard to use and relatively ineffective is the traditional password. You have to type a bunch of letters which is especially annoying on mobile, understand which characters you can and cannot use, how long it needs to be, etc. And then you have to remember it. No one likes passwords.
Passwords have unwanted side effects, too. To avoid the pain, users cut corners and create insecure passwords which pretty much defeats the whole purpose.
Nowadays there are better options. For example, biometrics have improved the UX of security significantly. You’re already identified by the operating system. Scan your finger or face and you’re in.
Another relatively new method for authentication is the magic link. If you can always reset a password by sending yourself an email, why require a password in the first place? Instead, email your users a link. By clicking the link, they’ve just proven they are who they say they are. No need to remember annoying and insecure passwords anymore.
The idea is that by minimizing friction and simplifying processes, you can help users to make better choices for their security.
Users are experts at avoiding things they dislike. Don’t let security fall into that category.
Set up smart perimeters
While authenticated, users can carry out critical actions that change the state of their account such as updating settings and making purchases. When they’re not authenticated, they’re logged out and can’t do anything account-related. That’s pretty straightforward.
Now the question is where and when to initiate authentication.
You don’t necessarily have to require users to authenticate every time they use your product. A great example of how a product optimizes for user experience by delaying authentication is Amazon. It recognizes you from your initial authentication and delivers a customized shopping experience based on your personal history and preferences without requiring you to authenticate every time. You can revisit the site and shop till you drop without ever entering an email and password. Only right before purchase, when the need for security measures is obvious, do they require you to authenticate again. This makes for a low-friction and delightful user experience.
To be clear, there are trade-offs with this approach. Anyone can walk up to your computer and see all of your shopping history, preferences, wish lists, etc. Some users might not be comfortable with this from a privacy perspective.
You’ll have to decide what’s more important for your product — increased privacy, or a more frictionless experience.
Just remember that security doesn’t have to be front-loaded. By setting up smart perimeters deeper inside the user journey, specifically around high value actions, you can reduce friction and improve the overall experience for your users without compromising on their security.
Be realistic
Security in the digital world is sacrosanct. Without it, users are vulnerable to all kinds of cyber threats. But many products take security to the extreme without considering the negative implications.
In “A Tale of Three Doors”, Jeff Axup notes that security design “needs to be driven less by fear of the theoretically possible, and more by streamlining typical usage and creating risk-reduction strategies that don’t do more harm than good.” He then goes on to explain the difference: “Realistic security is when you consider how many codes have been broken in the last several years. Theoretical security is when you consider how many years of brute-force attack with unattainable supercomputers could possibly crack a code.”
I would add that coming up with a realistic threat assessment also depends on the type of product. If you’re building a financial app, you should implement some serious security measures. Money is important to people, and the risk-reward balance is such that users are happy to do a little extra work to keep their money safe. But if you’re building a to do list app, you probably don’t need to burden your users.
The cost of over-indexing on theoretical security can be tricky to asses, especially since once a security system exists, it’s hard to test alternatives. But rest assured that letting paranoia prevail comes with a cost.
Be reasonable. Look around at your industry, your product, your users and your threat models, and remember that statistically speaking, your biggest security vulnerability probably stems from users creating bad passwords rather than from some nation-state actor operating quantum computers to hack your system.
Find the happy maximum
More security doesn’t always lead to more secure users. Many times it just leads to a more secure product that nobody uses.
To achieve the right balance for your product, you’ll need to collaborate with all the relevant stakeholders — security experts, engineers, designers, and others. Security touches on several different areas of expertise and everyone should participate in the discussion.
UX and security is not a zero sum game. You can maximize both, and deliver a product that is highly secure and delightful to use.
