My mother is 67 years old. She is a brilliant woman, educated and not at all afraid of technology. Yet, when I tried to get her to install Google Authenticator and use multi-factor authentication (MFA) for logging into applications, she found herself struggling. From scanning the QR code to inputting the initial code and then adding new applications, it was just too much to think about. She said, “Aviad, I would much rather just give them my mobile number and they send me the code. What’s wrong with that?”
As a long-time security researcher and developer, I know exactly what is wrong with SMS as a second factor. I explained to her that, at a cybersecurity software company where I previously worked, we hacked cell phones and hijacked SMS codes all the time. I still remember staring at her and saying, “This is just not safe, Mom!”
But, I realized, maybe it’s safer than trying to get her to use something that is borderline unusable. Of course, this is the same conversation we have with users all the time about password security. Many applications attempt to force users to create passwords that they are unlikely to remember by mandating numbers, symbols, capital, and lower-case letters, and forcing constant rotations. If the government (to name one example) forced us all to change our names every month, we would struggle to remember that, too.
As a result, even today, users write down passwords on pieces of paper and carry them or tape them by their desk. Even password managers, which are supposed to make life easier, complicate matters by creating poor user experiences.
Engineers and technologists commonly blame insecure user behavior on ignorance, on laziness, and on other human failings. The reality is that the user experience (UX) of user security is awful and not getting better. Even for biometric systems on consumer systems, like Apple, you need to record your face on your phone and your fingerprint on your computer, repeating the process for no real reason.
We think user experience for security should be just as important and as easy as for anything we do. Here’s how you can implement security that would suit anyone in your life, including your older mom.
Map and understand the interruptions you create
Because security has been prioritized over UX for so long, it was very often added without properly accounting for the impact of security measures on UX. You can’t fix what you can’t measure, see and experience.
As a baseline for building better security UX, run UX studies with appropriate personae for the impact of each security measure and workflow enforced by security verifications or interruptions. Once you have a full picture of this collective impact on your users, you can begin to strategize on how to minimize the impact without hurting your overall security.
Design authentication and basic security with the least technical users in mind
Set the bar low in terms of required technical acumen. Enable the least techie portion of your audience to access base-level security without forcing them outside their comfort zone.
If you are developing a banking application, MFA with an authenticator app or smartcard token is more secure, but if you have a 70-year-old customer who is used to SMS (like my mother) and would be confused by these other methods, allow them to stick to what’s simple – because some security is better than no security or a user that won’t use your application. The caveat? Build background systems that can continue to check on these users that went through lower-level security. By monitoring behavior and other telltale signs, you can keep the login simple but still maintain a higher level of security.
Design for as many security options as possible
There should be different security strokes for different folks. Some people like using Google Authenticator for getting the second authentication factor. Others might prefer using FaceID or another biometric system, or getting a magic link sent to a verified email. Some banks have put in place easy-to-use voice-based authentication.
Giving people choices is what makes them happy and increases the likelihood that they are comfortable with using one or more of the methods. This will lead to a better app experience, more usage, and faster business growth.
Remove or minimize anything that might confuse customers
Any security feature that redirects, moves, shifts, or changes pages should probably be removed. Ideally, security should be self-contained. This makes it easier to follow and less confusing to users. Redirects to password reset pages are a pet peeve of mine. This means a user has two tabs open to your application and might close the wrong one by mistake or might even try to log in on the existing page. Yes, in theory it should work but there are so many ways this can go wrong. CAPTCHA often does a better job of discouraging users than fighting off bots.
Another “painful” security measure is providing users with long account recovery keys and telling them to save them or print them. Inputting these long streams is a challenge for many users on mobile devices. And asking anyone to remember complicated and long keys or save them elsewhere invites real trouble — even for mission-critical infrastructure. Email magic links are better than emailed password resets, as is Google’s OneClick login.
Move security from the visible to the invisible
Attackers will target any visible security measure. A far better option for building up security over time is to put in place measures that are invisible to users and don’t impact their workflows. The only time you should bring in additional security measures, after login and authentication, is when there is anomalous behavior, or a user is asking to execute a high-value action.
Asking users to input a code that is emailed to them or sent to their phone before allowing them to make a purchase over a certain amount, for example, is a thoughtful way to verify with minimal interruption. To be clear: any interruption will impact users, but sometimes it is necessary to strike the right balance between usability (“user-friendliness”) and the need for stronger authentication.
Better security UX = better security
The best security is one that is easy to use. Security that is too hard to use generates insecure behaviors that create far more risk. For some reason, most of the information security industry has forgotten this basic truth.
Passkeys and passwordless tech that is becoming more widely used is a great step in the right direction. Anyone who has gotten used to Apple’s near-magical FaceID and fingerprint scanners – which work practically flawlessly – struggles to accept less elegant solutions.
The imperative for security simplicity has never been greater. We are juggling more and more apps, passwords, tokens, accounts, and everything else. Time to go back to UX basics to boost our security. This will not only make users happier, but also boost our bottom lines.