You are about to sign up on a hot new website your friends were discussing. You open the webpage and click on Sign Up. What do you see?
The password requirements are: The Password should be 12-24 characters long, with at least one lowercase character, one uppercase character, one number, one special character except / and *, an Egyptian heliograph, and a secret hand sign.
We've all experienced the frustration of complex security measures at some point. These hurdles can stop us from even trying out a new product. This showcases the negative impact such measures can have on user experience. The intentions might be well-placed, but they have a detrimental effect. Results matter.
With long passwords or complex requirements, humans are more likely to reuse or write them down. If any one of those accounts got compromised, it indirectly compromises all your other accounts that used the same password using a technique named credential stuffing.
For throw-away accounts on websites you don’t care about, this is not a big deal, though it is a big deal when you use the same password for crucial services like tax services, emails, etc. It might just be a ticking time bomb.
Organizations must find ways effectively communicate their security measures without overburdening users.
Users Care About Their Experience
Security is the primary responsibility of the person designing the system, whether it be software or a physical system. There is an Object-Oriented Programming concept named encapsulation, which is about hiding complex implementation and only exposing what the user needs to know.
If we look back at history of automobiles, the initial designs were complex and for most of the time exposed the implementation details like gears and clutch to the users. The widespread adoption of automatic transmission in the US is a testament to the fact that users want to avoid dealing with the implementation details.
Now, let’s apply this to security and, more specifically, cybersecurity. Why should the users be burdened by security practices like complex password requirements or password rotation policies? Password rotation policies lead to predictable patterns like suffixing month or year at the end of a password, which is not better than no rotation policy and, frankly quite expensive in the long run.
This happens because the people designing the system have decided to abdicate their responsibilities. The users do not think about security in their day-to-day lives, just like they do not think about a city's sewage system. They just expect it to work. They only care when there is a problem.
PwC published a report explaining what customer experience looks like. This quote captures the essence.
“Nearly 80% of American consumers point to speed, convenience, knowledgeable help, and friendly service as the most important elements of a positive customer experience.
Users expect things to just work! They only care about how they can get their work done. Notice that security isn’t mentioned on this list.”
Hiding Implementation Details
I clearly recall that, around 15 years back, we were all advised to set travel notices on our credit cards when traveling internationally. This ensured that our transactions might not get flagged for fraud. While I understand the reasoning, it added another layer of complexity to the travel plans.
Nowadays, most credit cards do not require you to set a travel notice. Traveling internally with Amex, I never had any issue with charges being marked as fraud. It’s not surprising since Amex clearly mentions I do not need to set it. This is an excellent example of hiding the security implementation details from the users.
Nowadays, most of the credit cards use advanced fraud detection algorithms. It ensures that I can focus on my vacation rather than spending time on the phone with an agent from my credit card company.
If you are designing a website, why even have a Sign-up page unless necessary? How about Single-Sign-On options like “Sign in with Google” or “Sign in with Facebook”? Keep the manual sign-up for people unwilling to use Google or Facebook. Google and Facebook have better resources to handle security with their login systems. Let us focus on our strengths, which are providing value to the users.
How to Strike a Delicate Balance
I would concede that some amount of security is indeed the responsibility of the users. They should not fall for phishing attacks and hand out their passwords to smooth-talking scammers. There is only so much you can do except for mandating second-factor authentication, which, while cumbersome, has become more acceptable.
We can avoid concerning the user with terms like “two-factor authentication”, which means nothing when a user hears those words. Instead, we should explain what we are trying to achieve, like “We need to verify it is you. We have sent a code to the phone number ending with XXXX”. We skipped the jargon and communicated our intentions.
In the quest to strike a fine balance, we can rely on the users who are more comfortable with two-factor authentication and provide them with stronger methods like the Authenticator app that generates code at regular intervals or a physical key like those RSA dongles. YubiKey is the most popular of them all for personal use. Maybe start supporting passkeys?
Conclusion
To get my point across, I kept my examples simple, like password policies. The mindset I am championing applies to more than just passwords. It should apply to all aspects of the user experience when working with security.
If you work in a company’s IT department and have been told that people have a habit of leaving their computers unlocked, it is tough to change people’s behavior. The employees are your users in this case. Instead of making policies to change human behavior, make policies that enforce auto-screen lock after a specified duration. While it does not solve the issue, it reduces the risk that an unlocked computer can be used for nefarious purposes.
Security is not about checking items off a checklist. It is a mindset that should be woven into the organization's culture. It needs leadership buy-in and a budget set aside for this explicit purpose. The culture of security needs nurturing and should never be an afterthought.