5 ways to make software unpleasant via security
By Josh Christopher, Senior Experience Director at projekt202
“Security so good that even your intended users can’t get in.”
Rising awareness and willingness to address issues with Enterprise Software, the popularity of UX in the Healthcare industry (HIPAA), and frequent hacks of personal private information online — have led to a fear-fueled pattern when it comes to site security. Be not mistaken, fears are valid and loss of sensitive information could lead to much more than bad PR for a company. There are many real instances that could lead to substantial fines even if a company does not ever even “lose” information.
The pattern is that companies are taking their responsibility of being a secure resource for their users and simply passing that burden and liability back onto their users by creating overly complex layers of access. This in turn limits the users ability and desire to function with the service at all. These companies are rendering their software so secure that even the intended users are unable to access it.
So below are 5 ways to make your users frustrated via security.
1. Implement extensive password rules.
I understand the concern at a high level, “we don’t want people’s passwords to be hacked easily.”
The issue with passwords though is this, on average we all have about 25 accounts that require a password. Your users are naturally going to use a convention that fits with the 8 other passwords they plan to type in on that same day. If you stray from that convention and force your users to make their passwords more difficult, you are making it harder for your users to get to you when they need you most. Lastly, even without more complex rules, password recovery is the number one request for services that don’t have single sign-on capabilities.
Complex password rules make the job of creating a password much more difficult too. Multiple failed attempts at complex password creation will have measurable impacts to your throughput. Likely it also guarantees the password will be written down or saved in a place that is far more accessible than just being stored in your users’ brain.
Validation of the requirements can assist the user in first creating this their password. Also a password strength meter on password creation notifies users when they are at risk with too simplistic a password. Or try not making users create a new password at all, allow login and account creation via social media.
But the best solve altogether for the user may be to implement two factor authorization as both a rebuttal and solution to the fear of being hacked. In addition, why have a maximum number of characters at all in a password? If your users are concerned about being hacked they should be able to make their passwords the first 90 characters of π if they want to.
2. Force users to reset their passwords.
So the problem for businesses are still that damn password vulnerability. The fact is though that banks don’t even do this.
It is not common outside of Enterprise Software and even then, I still get ticked having to reset my corporate email password every 90 days.
So much of the rationale for the first issue is also applicable for why this is no good for users. But mainly it creates the need for users to write down their password on a little post-it and paste it right onto their monitor.
Additional things to consider instead of a password are tokens or biometrics (iris scan, fingerprint id, heartbeat). If it is Enterprise Software a USB key could potentially even be a better experience. Mainly, just try really hard not to expire the passwords even if it is Enterprise Software because interrupting a users flow even when they have a goal in mind can have devastating effects. In e-commerce, 75% of users won’t complete a purchase if they have to first recover/reset their password.
3. Put CAPTCHA — everywhere.
I understand the concern to an organization, “we need to watch our for malicious bots.”
But oh the problems it introduces for users… It increases form errors and causes poorer conversion, is difficult and inconsistently branded (which can make it look like a security issue). Most are not tablet/mobile friendly increasing the likelihood of fat finger typing.
If you need a mobile friendly version then reCAPTCHA isn’t awful. But an even better solution is the honeypot. Essentially honeypot is a hidden form field that humans cannot see, but that robots find irresistible. If the hidden form field is filled out, BOOM we gotcha robot, leave our site!
The biggest issue I see with Honeypot CAPTCHA is that there doesn’t seem to be a great solve for accessibility. But CAPTCHA in general is not super accessible either so we still need to implement a fix for this part of it.
4. Lock out after X number of failed login attempts.
So we suspect someone may be trying to hack into your account. However, we may have also made your password insanely difficult for you to remember and now we also have added additional steps for you to retrieve access to your account. So basically, we don’t want your money.
Obviously I am exaggerating but mainly I suppose I would be OK with this as long as there is at least a simple software solution in place for me to reclaim access to my account. If you plan to force me to call or email someone to get back access to my account plan on not seeing me again.
Best solve for this is also two factor authorization .
5. Have security questions, lots of complex ones too.
First let me say it just simply is not secure. This is one way how all the “unnamed” celebrities phones are getting hacked.
People are guessing/finding the answers to these questions in order to gain access to their private information.
“So make the questions more difficult and random.” Right? No not right. My answer to, “Who is your favorite cousins’ neighbor?” may change between now and when I need it. Also it will take me a while to find a question in your list of 10 that I feel like I could actually answer later on. I have had users tell me they have created workarounds to security questions where they just answer the security question with the last word of the security question to avoid dealing with the complexity of this security feature.
Example:
Question: What is your mother’s maiden name?
Answer: name
Best solution to this is verify a forgot username or password via another form of contact like phone or email.
A BONUS BARGAINING TIP
If you are currently in talks about site security with your client/company another thing to consider is the implementation of the SHOW/HIDE passwords in form fields. It could have a solid impact on the throughput and usability of your software.
In Conclusion
Exceeding a users tolerance to security results in them having to work against you and your security parameters to make the software easier to use. They will do things like write down passwords, use predictable shortcuts to remember answers to security questions, and reset expired passwords with weak flavors of previously used passwords. Overly complex security parameters may actual then result in a less secure software. Best is to come up with options that are still secure but don’t simply pass complexity onto customers.
