Security is part of the user experience, treat it as such!

If you build security features in a way that users circumvent them for the sake of convenience — you are building them wrong. It’s your fault not the user’s.

Security is part of the user experience

Online Banking

Second screen in Ing DiBa login flow (Translated from German)
  • Its incompatible with password managers
  • From a users perspective, this is just a second password resulting in a lot of users using passwords like 123456 (which is not checked) or similar because they only want to remember one

Construction Sites

Construction site in Berlin
  1. Wait on the traffic lights to switch to the sidewalk on the other side
  2. Walk to the next crossing
  3. Wait on the lights at the next crossing and switch side again.

Get your mindset right

  1. Understand the situation and use cases
    Not all security related flows are as ubiquitous as a login form. There are a lot of different flows, where misuse needs to prevented at all cost. It is important to understand the situations users might be in when they try to complete your flow. If you are a bank and design a flow for users to request a new card — consider that this might happen in a stress situation e.g. after a robbery.
  2. Think about the edge cases
    What do users need to provide to complete the flow? Considering the above situations, will they be able to provide this. If not, what could you offer instead?
  3. What is the easiest alternative
    Think about all the ways a user might misuse what you are building for convenience. Are there shortcuts? How do they look like? Why does this shortcut exist and why is it less secure? Can you make it as easy as the shortcut without compromising security? Can you incentivize users to not take it? Simply blocking shortcuts should be your last resort.
  4. Help users understand
    For us, working in the industry a lot of cause-effect relationships are much clearer. The average user often has no awareness of the inner workings and potential attack vectors. Explain why it might be a good idea to set up 2FA. Convince users instead of forcing them.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store