Security is one of the thorniest of UX problems. Both companies and individuals value the experience of ‘being secure’. However, many attempts to deliver security are annoying hand-waving exercises that don’t increase security. Passwords are the quintessential evil at the heart of this issue.
The security paradox
As humans, we like feeling secure but dislike the hassles and cost that security entails. Security is costly. The varied costs of security are time, loss of opportunity, convenience, barriers to sales, barriers to viral growth, and hard costs in software, hardware and manpower to authenticate access. Every company I’ve worked with spends a LOT on helping users with lost/forgotten passwords. The paradox is how to deliver better experiences that feel secure when everything to do with security slows down and flat out annoys many users?
Some things shouldn’t be secure at all
Security is important, but context is everything. The last decade has seen an increased tendency for companies to lock away what they do behind unfriendly barriers. If you are looking to compare different companies, different systems or software packages, show me that your product is good, don’t just talk about it. Ernest Hemingway’s iceberg theory of writing applies to user experience and web marketing because all three are about good story-telling.
To show value is to be authentic. Talking about value is hearsay.
When a customer is comparing offerings, they want to see that you’re professional, that you check all the required checkboxes, that the pricing is good. Most product people DON’T GET that customers pay for value, not features. Features are just table stakes. We value the experience of getting something done. Value is holistic, not just the result. Only a subset of features add value for most customers. Value is what real users actually get done multiplied by how easy it is to do it. Don’t hide value. Be authentic.
Therefore, engaging users’ belief that your product will work for them is paramount. Product screen shots, short value proposition videos and letting people use the software are authentic ways to engage potential customers. This is a case where security is kind of crummy, but you still see it everywhere. Asking a user to create a username and password and possibly enter a ton of personal information just to see if your product is any good is a pointless barrier. Potential customers just want to bang the tires on each competing product to see which one they’d like using the best. If you require prospective customers to create an account/password before trying your product, you are going to get your ass kicked by competitors who don’t, even if you’re better.
The tyranny of passwords
While requiring passwords to simply see if a product is any good is pointless, it’s sheer lunacy to require strong passwords on every little thing. Doing so DECREASES the security of passwords overall. In the old days, people didn’t use that many different systems and password rules weren’t that complex. Now that every trivial app and site requires yet another user name and password, almost all users end up reusing credentials throughout the internet. It’s human nature to simplify in the face of tediousness. However, every system offers users the hypocritical advice to have long, complex unique passwords for every different system, and change them frequently and not write them down, and not base them on anything related to your life, your kids, your pets or anything you have a hope in hell of remembering.
Increasing password complexity makes it more likely for people to use the same password EVERYWHERE, thereby DECREASING everyone’s security.
If a hacker steals one password from an insecure site, they often can get into tons of other systems for that user. It’s how Mark Zuckerburg got hacked and it is why increasing password length and complexity is making the whole internet less secure.
Password creation should be easy
The worst moment in using any product, service or app is often creating a new password. For 20 years, I have surveyed users and co-workers every time I started a new project. What do you like the most and what do you hate. Discovering you have to create another username and password is like discovering a new tax you have to pay. However, this process can be pretty painless. One great pattern lately is to log in with your ID from Google, LinkedIn or Facebook. However, we still need to allow users to create new credentials.
- Advise users as they type *so they cannot get it wrong*.
- Let them see what they are typing, so maybe they remember it.
- Do not have them repeat typing something they can’t even see. It doesn’t help anything.
- Give them easy, graceful password recovery for when they forget it someday.
Password entry should be easy
Part of the problem with designing UX for security is that the default seems to be hassling the user when it isn’t required. I’d like to call out a common, skanky implementation of password entry fields. If it’s a long, weird password with special characters in it, could everyone agree that maybe, users might want to see want to see what they’re typing in? If you’re in your own home or a private office, what’s the point? Obfuscating password characters with **** isn’t wrong, but failing to have a checkbox or eye icon that allows me to see what I’m typing is begging users to screw it up and get frustrated. Especially seniors, or kids or busy people of any kind. Good UX is easy for users to get right. We all make unintentional mistakes in parts of UI. However, when companies *protect* you by requiring long, complex passwords and don’t letting you see what you type, they are making things *willfully unusable*.
Bad UX is forgivable. Intentionally overcomplicating things isn’t. Make sure the payoff is worth the complexity.
Some things really do need to be secure
Those things which actually need to be secure are a different kettle of fish. Even so, passwords suck as a means to authenticate that you are the human being you claim to be. I have worked for lots of big and small companies including Microsoft and Time Warner, but the highest security I have experienced was working for Atomic Energy. I worked at a government facility that did research into safer energy production, food storage, space safety and particle physics. It was a place that did serious stuff, like ensuring that space shuttles didn’t blow up and handling plutonium. It was so secure that we had lead-lined walls so that enemies couldn’t steal secrets electromagnetically. Even though there was a high level of security, passwords were not part of the equation. If you need to get 2,500 workers in and out of secure zones every day, you don’t have time to screw around with something so fraught with error and inherently insecure as passwords.
Anyone who’s ever read about Ali Baba and the Forty Thieves in the Arabian Nights should realize that passwords are unreliable and insecure, even if they are not “Open Sesame”.
Pointless hand-waving serves nobody
There are still use cases for passwords, but security should do more than make users FEEL secure, it should track with actually BEING secure. Annoyingly long password rules don’t make a system secure. If financial information or social security numbers are being stored, two-factor security makes sense. However, sometimes security is more about optics than delivering genuine security. For example, air travel is incredibly safe but miserable and tedious due to airport security. Contrary to public perception, the chance of death in air travel are not only minuscule (2.8 per million departures), but has steadily dropped for decades. Walking is 1000 times more dangerous than air travel. Getting to the airport hours earlier, pulling out gels and electronics, taking off jewelry, shoes, belts, submitting to body scans, all for what? The statistics suggest that airport security costs a lot of money, makes air travel miserable and does no measurable good. Think about this when implementing security and authentication for your site.
Civilized security is personal and scalable
I’m a user experience expert, not a security expert, but I do know that high security is costly in time, material and effort. I’m hopeful about some emergent tech. Microsoft’s advanced machine viewing allows you to log in with your face, combining stereoscopic infrared cameras, iris scanning and other biometrics to authenticate people, even telling the difference between identical twins in the dark. This sort of tech can be combined with other biometrics, depending on the level of security required. Likewise, Google is testing an inference authentication system that uses a dozen different behavioral clues about the way you type, press, swipe and use devices to authenticate people. The writing is on the wall. Passwords are being deprecated.
These sort of developments point to a near future where security isn’t based around the russian roulette we call passwords. The best thing about Microsoft and Google’s plans is that they both take into account the idea of scaling security. Some things should be redesigned with little or no authentication, like a trial account for software. Low risk apps and sites, like a low value Starbucks account, should require a low level of authentication, NOT 10 characters including upper and lower case and a number or special character. Only important systems will have high level security.
Authentic authentication is based on YOU
The password is an impersonal thing that can be hacked, stolen, bought, sold. It’s not YOU. When we can genuinely authenticate human beings quickly and accurately by multifactor biometrics, the world will be safer and open to more agile experiences. This is exciting from a UX point of view. Imagine accessing your stuff anywhere by simply BEING YOU. In the meantime, system and app designers need to consider being more tactical in locking down important information while opening up access to low risk information like product comparisons and low risk transactions. We gain overall security and better experience by reserving serious security for where it really counts.