The user experience of security
Back in the 1990s, when you mentioned cybersecurity to anyone, a glazed look would come over their face. And fair enough. Security, as a discipline of IT, was a bit dry and boring.
Then the internet hit, and we all become co-opted into cybercrime in one form or another. Scams are now so ubiquitous that many countries have their own government services attempting to educate citizens. In the U.S., for example, the Federal Trade Commission (FTC) has a Scam Alert site dedicated to bringing the latest scams into the public forum. Another example is Australia, with its own Scamwatch site.
Even so, the “user” (aka people) generally does not want to have to think about security. The internet may be everywhere, but security is still boring. It is not until something actually bad happens that folks sit up and take notice.
However, as a business, we need to have our staff and other associates on watch for cyberthreats. We need to make sure that security moves out of the shadows and into our awareness so we can reduce the chances that our company will be the victim of a cyberattack. This, as with many areas of technology, comes down to making the interaction with security a good User Experience (UX).
Elements of UX in cybersecurity tools
To make an analogy to another area of tech: If you were to design a commercial website in the way that many security tools or processes are designed, you’d lose customers. Cybersecurity tools, even those meant for consumers, can often be complicated to understand and set up. Some use cases give us an insight into how UX can impact security choices.
The case of login credentials (authentication)
It is now accepted wisdom that using a second factor (2FA) such as an authentication code along with a username and password is more secure than not using one. However, consumer usage of 2FA is falling short of optimal. Google, for example, has an uptake rate of 2FA in only around 10% of users.
However, a DUO survey has found that awareness of 2FA is improving and SMS text code is the most popular method. In the U.S., over half of users are using 2FA for some accounts. Securing more sensitive or valuable accounts has the greatest numbers of 2FA users, e.g., for secure bank account access.
One of the issues with 2FA for consumers is that it is an extra step, a hurdle to use. It adds time to an interaction and extra clicks. The trouble is that if something is hard to do, it often won’t be done.
The use of a mobile app, such as Google Authenticator, may have better security than an SMS text message (which could be intercepted) but it has a lower take up. This is because the UX of an app involves extra clicks to open the app, scroll to the code and so on.
One of the better UX moments in using SMS text codes for 2FA is using them on a user journey that is entirely mobile. You click to access an account on a mobile, the SMS code is sent, the interface allows you to click the code, which is auto-populated into the account access field, and hey presto, you are in. The UX is seamless, simple and reduces friction; it’s a great UX, so it is a preferred UX.
When good security goes bad UX
An example of when good security goes bad because of poor UX is in the product Pretty Good Privacy (PGP). PGP provides end-to-end encryption of email communications. It is used in an email client, ProtonMail.
PGP was originally developed as a standalone product, but it never really took off outside of the tech community. Many have wondered why such a good security product never really went mainstream. One of the most popular theories is that the user interface was poorly designed, being a highly technical UI, and that it required an understanding of ‘key management — you had to know how to share, manage and maintain encryption keys.
In other words, the UX of PGP was such that it added hurdles to its use. Only those who were prepared to jump those hurdles used it.
The case of password managers
Password managers are also poorly used. By rights, they should be ubiquitous. They solve the problem of password fatigue and add a layer of security onto accounts that only have single-factor authentication in place (some offering more security than others). However, a Pew Research report found that only around 12% of users use a password manager.
One of the issues with password managers is that they can be difficult for the average user to install and maintain. It is easier to write a password down.
Carnegie Mellon Cylab looked at why password managers were not used. The answers included:
- Reusing passwords made it easier to just remember passwords
- Writing them down/saving in a phone was easier
- Giving up control of their passwords to software was in itself a concern
- As was the idea of a single point of failure
In all of the above examples, the poor UX resulted in poor security practices. UX is crucial to a good user experience of security and to making security work.
The security of processes and UX
One key thing to remember is that UX is not just about using a product. It is also about being part of/using a process.
This is evident in the case of Business Email Compromise (BEC). BEC is a cybercrime dependent on a number of things, including surveillance, grooming of individuals and social engineering.
BEC is committed as a process. It may utilize technology as part of that process, but it is much wider in scope. The UX of BEC as a process is carefully orchestrated by the cybercriminal. As such, the only way to counter these types of cybercrimes is to employ your own well-defined processes that incorporate a user experience that is workable and can be applied easily.
For example, to counter the impact of a BEC attack, you may put in place your own process around double-checking any large money movement. If that process is complicated or has workarounds that mean it can be circumvented, then it will likely fail, and your company will be at a greater risk of BEC.
A great user experience within a process is as important as any UX that impacts a human-computer interface. Removing obstacles from the process is key to making that process viable.
Cybercriminals themselves know this. They refine their scams to ensure that they create a great UX. Cybercrime works because the cybercriminals understand how to remove obstacles from success.
Good UX makes good security in processes
A great user experience is the goal, but UX is not something that happens overnight or without effort. To create a great UX, you need to start with certain design considerations:
- A diverse team: Having a team that includes people from all walks of life can help in designing a great UX. For example, have you thought about disabled users in your product or process?
- Design for your users, not yourself: When you design a security product or process, think about your audience. What are the demographics likely to be? Does the language suit the user? Is the interface accessible?
- Test it in the real world: Test with real users that represent the demographic using your process or product. Do A/B testing to get the best UX you can
- Be prepared to change: Keep testing, keep refining
- Usable and secure: The balance between usability and security is a constant of the industry, but you must find a happy medium. If you add UX hurdles, the security will not be used. You end up with a situation where you may even make security worse — the example where the user chooses to reuse passwords to remember them, rather than a password manager, is a case in point
The UX of security bottomline
We need to make security work to counteract the massive impact that cybercrime has on modern business and individuals. To do so, we must make security accessible and usable. This begins with good design, a design that removes hurdles caused by making people jump through UX hoops.
Whether you are designing your UX as part of a process or to create an accessible and usable security product, you have to think like a user. There is no point in making something so secure that it becomes unusable: all you do is create a barrier to uptake and allow individuals to think of ways around using something. The end result is your product or process is not used and your company cybersecurity threat risk increases.
Great UX equals great security. It is worth going the extra mile to make it happen.
- Scams, Federal Trade Commission Consumer Information
- Scamwatch, Australian Competition & Consumer Commission
- Who’s using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication, The Register
- The 2019 State of the Auth Report: Has 2FA Hit Mainstream Yet?, Duo
- What is PGP encryption and how does it work?, ProtonMail
- Password management and mobile security, Pew Research Center
- Why people (don’t) use password managers effectively, CyLab