Balancing User Experience and Security : It’s Not as Difficult as You Think

Source : Gaspart on Dribbble

With constant innovations happening in the fin-tech, health-tech domains, data security is as important as a seamless user experience. Security and user experience (UX) are two important aspects of good product design that are too often considered separately, usually with the result that the effectiveness of one comes at the expense of the other.

Balancing user experience and security

I’ve had a lot of friends ask me, “Why can’t it simply say whether the email id is incorrect or the password, duh?”

It’s true that an ambiguous error message can be inconvenient for users, but it also helps to protect users. If the error message was as straightforward as “this username does not exist” or “incorrect password”, the attacker could compile a list of valid usernames and easily use it to break in via a brute force attack.

Can user experience and security live in harmony?

Yes, they can.

An optimal interface is simple to operate and secure against data theft attempts. Designing such a product is mostly considered as an exchange between usability and security. The idea is that by minimising friction and simplifying processes, we can help users to make better choices for their security.

Designers can design for security by using the same approach they do with everything else: start with the user.

Secure by design

Secure by design, in software engineering, means that software products and capabilities have been designed to be fundamentally secure. Using this approach, security is built into each stage of product development starting with a robust architecture design.

Currently, security and UX teams operate in silos. Product teams need to understand that while security is of utmost importance, user experience cannot be neglected. Security experts and designers should collaborate from the planning stage to ensure that security is ingrained in every aspect of the creative process as well. When UX teams work with security experts, the two can create a product that is secure and usable.

What can we, as UX designers do to create a secure & usable product?

Consider attackers as valid user personas

As UX designers, we create user personas and acknowledge the different types of users. We appreciate that each user is different — including their skills, behaviours and user journeys.

However, more often than not, we don’t consider attackers as potential users.

To incorporate security in the roots of UX, we must understand the attackers’ purpose, goals and motivations.

Attacker’s persona

Analyse the risk involved & ensure adherence

Threat modelling is an inherent aspect of designing security models for applications. Threat modelling works by identifying the types of threat agents that cause harm to an application or computer system.

As UX designers, gaining an understanding of the different risks and their impacts and incorporating them into our product’s mental models helps us design features that are usable and secure.

A common goal of security professionals and UX designers is to protect the user. This leads us to ‘Opinionated Design’.

Consider the following example :

Some websites are missing SSL certificates could mean that attackers can steal the users’ information, it could also be the case that the certificate is self-signed (not a recommended security practice). In such cases, UX designers should provide fallback options for the users to continue to the site if they want to while making it clear that it is unsafe to proceed.

Let’s see how Chrome does it -

The language used to explain the problem is fairly complicated. Also, there is no visual difference between the ‘Proceed anyway’ and ‘Back to safety’ buttons. This doesn’t exactly tell the user which is the recommended action.

The explanation is short and simple. Also, the option to proceed in hidden under ‘Advanced’ preceded by a detailed explanation of the issue. This tells the user that the system strongly recommends against proceeding.

Use only necessary data

As a general rule of thumb — it is recommended to only as much PII / PHI data as required since it exposes the application to unnecessary security requirements.

Consider that a certain mHealth app allows users to find doctor/test appointments. There could be two approaches here :

1. The application could require the user’s name and birthdate and pull up the patient’s profile in order to provide a personalised experience. Or,
2. The application could simply ask for the users gender and age range and find the relevant appointments

The first approach is a lot more user friendly but it would require HIPAA security because any data that is accessed, transmitted or stored within a mHealth app must adhere to all safeguards according to HIPAA. However, the second option doesn’t necessarily deter the user experience and also doesn’t require HIPAA security.

Reducing user burden

Make the overall experience of the product advocates security and enough context is given to the user about the security measures.

Explaining everything to the user about a security measure may not be a good idea. Make use of internal product notifications to explain the security measure in a basic format. In addition, make use of external notifications such as emails to further explain the measure to the user.

For example, some products may allow single sessions or a limited number of sessions. In such cases, usually, messages like ‘You’ve been logged out due to security reasons are displayed. This doesn’t tell the user why.

Now, consider this — Netflix allows only 5 concurrent viewing sessions

Netflix’ error message is self-explanatory, gives the user enough idea on what the next steps are and also includes an upselling touchpoint.

While this is great, sometimes it may not be possible to disclose details due to security reasons or simply technical limitations. In such cases, just like Netflix does, use emails to notify the users of the login activities happening on their accounts. This acts as a precursory warning should there be any unintended login, reducing the risk of unauthorised access.

Educate the user

Most users don’t fully understand security. They often consider security measures as extra steps on roadblocks in the normal functioning of the product.

For example, instead of simply asking the user to include one upper case letter, two special characters, a number, etc in their password, tell them why it’s important to have a carefully picked out password. This not only educates the user but also makes them serious about the security of their account.

Let’s also take a look at LinkedIn’s privacy policy. It is a simply structured page that explains all privacy-related concepts keeping the user at the centre of it all. They clearly explain what they collect, how they use it and how the user can opt-out of certain data storage. In addition, they also have an explainer video that gives an overarching idea about what the policy entails.

The bottom line

Ultimately, it’s all about finding the right balance. As designers, we need to take the time to understand security, its importance and involve relevant stakeholders in our creative process. When UX designers and security experts work together, they can create products with better engagement, credibility, compliance and brand value.

Additional resources

1. https://www.cs.ox.ac.uk/files/2859/ares_main.pdf
2. https://www.oreilly.com/library/view/security-and-usability/0596008279/ch04.html
3. https://www.fastcompany.com/3059293/security-vs-ux-how-to-reconcile-one-of-the-biggest-challenges-in-interface-design
4. https://uxdesign.cc/how-good-ux-leads-to-great-security-293327c83a90
5. https://www.securitymagazine.com/articles/94909-the-evolving-role-of-user-experience-in-security