Today’s Internet users are more concerned about the security of their personal data than ever, with good reason. 2018 saw seemingly endless reports of data disasters from some of the world’s largest websites, with Facebook, Google Plus, Quora and MyFitnessPal all suffering mega-breaches. 2019 hasn’t been going much better, either, with announcements so far including calamitous security problems and leaks from Fortnite, Hotmail and Bodybuilding.com.
Privacy, data security and GDPR are among the largest issues of our modern age, and consumers are asking more questions than ever about what is being done to keep their information safe – yet good security practices can often seem to be somewhat at odds with the principles of good user experience (UX) design.
Whereas cybersecurity is often about adding extra steps to a process to guarantee additional layers of protection, UX designers are perennially on the lookout for ways to make things simpler – hoping to shorten user journeys and transactions and remove as many points of inconvenience and friction as possible.
Is there a way for designers to reconcile these two seemingly contradictory goals and offer systems that are both intuitively simple to use and also robustly secure? Let’s look at some ideas…
Good security is good UX
As with many problems, a good first step might be an adjustment of perspective. We don’t have to consider UX and security as two discrete concepts that pull only in opposite directions; there is, in fact, a fair amount of overlap between the two ideals.
Simply put, using a secure system that looks after your data can be a good experience in and of itself. It’s certainly the case that having your details leaked for hackers to find and exploit is a bad user experience!
Part of the problem encountered by many attempts to improve online security is that the major weakness in many cases is (to use an old programmer joke) a “meat component error.” That is, oftentimes it is the user’s own behaviour that creates the issue – but just as frequently it is the software itself that inadvertently prompts them to do this.
Phrased another way, many hardy security systems actually offer relatively poor user experiences – and the user’s natural avoidance of these boring or time-consuming processes actually contributes to an end result of quite bad security.
For example, many websites insist that the user must create a password in line with various arcane rules (“passwords must be unique, 8 characters long or more, contain at least one uppercase character, one number and a symbol”).
This forces them to create a strong original password, but also asks them to remember yet another convoluted and unnatural string of characters which is also deeply tedious to enter on many mobile screen keyboards – and so what actually happens is that they write the password down on paper (which is not terribly safe), or reuse a multi-purpose password they’ve used before (horrible).
Making security work for users
It’s simply human nature to avoid things that are seen to be time-consuming or inconvenient to set up. Fewer than 1 in 10 people bother to use two-factor authentication on their Google account, for example, despite its clear effectiveness for safeguarding data.
Partly, we might attribute this to the relatively unintuitive threat of online identity theft – we all know that if we step out into the road without checking for approaching cars there is a clear and tangible risk to our personal safety, but the perils of poor data security often aren’t understood at the same gut level. Getting users to take their privacy and their passwords seriously, then, may be more of a matter for interaction design than for technology alone.
If UX principles can be used to make safety procedures easier, quicker, more intuitive, more interesting or fun, uptake may increase significantly. Security features that nobody bothers to use are essentially pointless – and so UX and security technology need each other in order for user data to be properly safeguarded.
Minimise data to minimise problems
In some cases, the goals of data security and UX do actually align. For example, a form with multiple unnecessary fields for the user to complete is both a poor user experience (as it takes longer to complete and increases the likelihood of them bailing before submission) and poor security (as it collects unnecessary information from the visitor, and increases the potential severity of any possible future data breach).
Collecting the minimum data possible is a pretty good universal rule of thumb, and there is also something to be said for not treating all users equally and only collecting some elements of data as and when they become needed for that particular individual.
For example, it used to be the case that Android apps would all ask for a laundry list of permissions up front on installation (and many still do) – “Do you want to install this application? It will have access to: your camera, your accounts, storage, personal information, GPS…” and so on.
Many apps today, though, now ask for the bare minimum of permissions in order to provide their core functionality, and later ask for additional permissions as needed to perform certain tasks (for example, Instagram now only asks for permission to film video if you should happen to open the appropriate tool in the app).
This allows for both good UX (as the user isn’t spooked by an unnecessarily long list of permissions on installation, and isn’t forced to grant access to an app for features they don’t actually intend to use) and good security (as the user is afforded more control over precisely which permissions they wish to allow, and can revoke consent for certain features without breaking the entire app).
In short, don’t ask users to volunteer their phone number, home address, birth date and shoe size up front if all they want to do is create an account to read blog posts. If you don’t need the data, don’t ask for it – and you can always collect more later if it should become necessary for the user to perform a different action (such as making a purchase).
Speaking the right language
Communicating well with the user can be a major component of a good UX and security solution. As mentioned earlier, one of the challenges of cybersecurity is simply that of getting users to take their own privacy seriously, giving them motivation – and properly setting their expectations.
Many users assume that the onus is entirely on service providers to keep their data safe, no matter what – and while this is a major responsibility for any website, it’s also not entirely the service provider’s fault if the user has lazily deployed the same weak password they’ve used for a decade and didn’t enable two-factor authentication.
Part of the solution is the issue of education – cybersecurity is a poorly understood subject by much of the general population, and many users don’t understand their role and responsibilities. By the same token, we believe there is also work to be done by web and UX designers to make some security concepts more intuitive.
Why on earth do we call it “two-factor authentication”, anyway? It’s one of those IT phrases that almost seems designed to obfuscate its own meaning with technical-sounding language. Why not call it a “two-step login”? If more users understood what was actually going on and what was being asked of them – and why it could be important – we might see greater adoption across the board.
At the end of the day, all the security technology in the world won’t make much difference to the overall safety of the web without good UX to go with it. In a way, it doesn’t matter how good the systems are – if they are unintuitive, boring, or time-consuming, users will simply try to dodge them wherever possible.
The best-case scenario is the marriage and interplay of the two disciplines – using UX design ideas to create frictionless interfaces underpinned by sturdy and easy-to-understand security principles. The ultimate security, after all, is that which people actually use; and while we may have a way to go yet, we think the web has a bright future of elegant and safe site design not too far over the horizon.