Security and UX: ‘If It’s Not Usable, It’s Not Secure’

November 24, 2017 11:01 am

Security and UX: ‘If It’s Not Usable, It’s Not Secure’

In today’s digital world, our online presence is expanding and so too are risks from hackers and phishers. So with this continual expansion of the digital world comes a need for improved security.

But as security measures have improved they have also become more complex. Multi-factor authentication is now commonplace, and logging into online platforms is no longer a walk in the park. It takes concentration, accuracy and an awfully good memory. So with these advances in security, the usability of getting rightful access to our products and services has tended to suffer. However, this is not something that is going unnoticed amongst us UX professionals, as alongside security advocates, we have recognised that we must find a balance, because as Jared Spool points out ‘if it’s not usable, it’s not secure’.
In this article we will consider the usability problems associated with an increasingly security conscious world, and what the future holds for addressing these issues.

Passwords and Two-factor Authentication

Since the recommendations of Bill Burr in 2003, there has been a clear fetishisation over password strength. Burr’s 2003 publication advised people to protect their accounts with cryptic passwords made up of awkward words, obscure characters, capital letters and numbers. But this makes use difficult and as with anything that’s hard we find shortcuts – Burr’s advice soon pushed us into lazy password habits. By this I mean changing the first letter of a password to a capital letter and ending it with a number – although we’re all guilty of it, it’s not going to make a password difficult to crack.
So actually, passwords are not great for keeping the hackers at bay, as in an attempt to make account access more straightforward we are creating easy to predict passwords. Even Burr admitted at aged 72 that ‘Much of what I did I now regret’.
As a result, stronger methods of security have been introduced. For example, two-factor authentication is something you’ll typically see when setting up a new payee on online banking, where the bank needs you to provide ‘something you know’ –a password or memorable information, then ‘something you have’ – this may be a code sent to your mobile, or activated by a card reader. However again the problem here is that by adding an extra stage of security, the system becomes less usable because not only do users have to remember information, they have access to the ‘something they have’ as well.

Figure 1. Two factor authentication: Something you know + Something you have

A Shift to Biometrics

The more recent introduction of Biometrics as a security measure has the potential to ease the ongoing trade-off between UX and Security.

Biometrics have added a third dimension to security, as rather than relying on ‘something you know’ or ‘something you have’, they rely on ‘something you are’. By allowing users to bypass two stages of authentication, the integration of biometrics into modern day technology is beginning to increase both security and customer satisfaction.

Figure 2. Biometrics: Something you are

Possibly the most commonly used form of Biometrics is Fingerprint identification. Although this is nothing new, as fingerprints have been used as a form of identification in a criminal context since the late 19th century, they have certainly saved us from a painful experience when it comes to security. Every other smartphone is now unlocked in this way, not to mention the use of fingerprints to access buildings, and to pay for school meals.

A second commonly used form of biometrics is voice authentication. Activated by unique biological factors when an individual speaks, this is something you may have experienced when contacting companies such as banks over the phone. HMRC, renowned for long wait times and lengthy security measures, have also recently implemented voice ID. From personal experience, not only is this simple to set up but is also saves your wait time, and your memory, as you hardly have to recall anything.

Figure 3. HMRC Voice ID

And biometrics have not stopped there, as the recent release of the iPhone X and similar digital products by competitors have seen the introduction of facial recognition into the consumer market. This technology is something you may have experienced in the likes of airports, but the benefit of this advancement at a consumer level is that authentication is possible without having to lift a finger or say a word – the user experience really couldn’t be more straightforward.

Figure 4. Facial recognition: iPhone X From: X

But it is worth bearing in mind that although biometrics have improved the usability of digital products and services they still have a long way to come. The storage of biometric data is something of upmost concern, as these identities have to be stored on a large database, or in the case of a personal device – the hardware provider becomes responsible for an individual’s identity.
Also, there is evidence to suggest that these forms of ID are not always accurate. Thinking about touch ID, we’ve all tried, and failed to unlock our phones with wet fingers. So, the drawback here is that biometrics have to be backed up by more laborious forms of security – I’m sorry, you can’t say goodbye to your notebook of passwords just yet.

What the future holds – Single Digital Identities

But what does the future hold for security and usability? Within the last century security has come on considerably, but it is not due to stop here. As we now find ourselves in a fully digital age, it is thought that soon identity verification will be entirely digital too. The idea is that individuals will establish one single digital identity, managed by a trusted provider, which will allow login across all digital platforms. Whilst biometrics can do this at quite a local level – allowing login to a mobile phone, and subsequent apps such as banking, it cannot yet be used across all sites and apps.

An example is the Government Digital Service’s ‘Verify’ scheme which works to a similar effect, allowing individuals to access numerous government services with a single login. When we have a well thought out security system like this, it typically allows for a higher level of security, as they are more vigorous to set up than a standard login system, whilst also enhancing usability and reducing reliance on multiple usernames and passwords – so maybe then you can think about getting rid of that password stash.

Take Away

Overall, security is continuing to become a more important aspect of our digital experience. But providing security that is both safer and provides a better security experience for our users involves the art of striking a balance. UX and security professionals must ensure they are working together to address user’s needs in an increasingly security conscious world.
Three key things to consider when considering security and usability are:

• Plan – build security into the early stages of developing a product rather than tagging them on at the end.
• Keep it simple – security can act as a ‘barrier’ so ensure it is as easy for your users to overcome as possible.
• Test – this allows any problems to be discovered early and addressed.