Why UX is the Secret to Better Online Security
03 Aug 2018
Nobody likes the trailers before a film, but watching Ocean's 8 this week I was particularly irritated by a banking app ad designed to tie into the heist theme of the film. Like the film, a group of women orchestrate events to enable them to steal something valuable - but as this is an ad it's not jewellery, it’s access to the target's bank account. The heist is foiled by the use of fingerprint scanning on the banking app, leaving them unable to look over the target's shoulder to get access to her password.
So, what's wrong with this you ask? I'm happy with the movie tie-in and more than happy with the all-female approach. It's the focus on someone reading your password over your shoulder that irritates me. We're all aware this is an issue and take extra precautions at the cash machine to ensure no-one can see our PIN, which is great. But having sat with users for many hours doing UX research (link to ux research page), I often hear this concern raised by the same people who happily admit they have the same password for multiple accounts. I genuinely think they believe it is more likely that someone will read their password over their shoulder than the possibility their insecure, frequently used password will be cracked. And this worries me.
So where does UX come in? Good UX makes it easier for users to create and enter secure passwords.
Make password requirements secure but not silly
Setting a minimum password length and enforcing a selection of numbers/characters is good. However, if that minimum is 12 characters long and must have upper case, lower case, numbers and special characters in specific ratios you're setting a Crystal Maze challenge not a password requirement.
Be upfront about the password requirements
This almost feels like it shouldn't need to be said, but a surprising number of sites still don't tell users the password requirements until they see they've got them wrong in an error message. Make the requirements easy to understand and in proximity to the password field.
Have an easy to use password reset journey
Let's face it, some users are never going to remember their passwords. If you want them to continue to use your site they must be able to reset their password easily. They need to be able to do this from all relevant points in your site and with ease.
Show/hide helps avoid mistakes
Allowing users to choose to show/hide their password makes it easier for them to enter their password mistake free. Be careful how this is implemented though - you don't want to show the users password (if they've saved it in the browser) when the page loads. An eye icon or the words show/hide are frequently used - for a wide user audience you can't beat the clarity of words over icons.
Integrate with authentication technology
Biometric tech like Touch ID or Pixel Imprint can make logging in and paying easy, as well as secure, by removing the need to enter a password. Add this functionality to your app or site and users with this technology get a better experience.
Also consider users who have a password manager tool when building your login pages. These tools often rely on being able to copy and paste from the tool to your site - you don't want your site to be the frustrating part of the experience because you don't allow paste.
Of course, UX is only a part of the security process. Experts smarter than me talk about blocking insecure passwords - there are apparently millions from data breaches that can be found online, and people still use terrible ones like "password123". If you're a security geek (I know one or two) it's highly frustrating to find out that a site won't allow you to enter a long enough password to satisfy your own security standards - adding a couple of extra characters to your password can take the time to crack it from hours to months!
But if you have humans as part of the security process it helps to remember that we are generally less than perfect creatures of habit. Although there is valuable stuff to be found behind a password, most users won't weave through metaphorical laser beams to get there. So, it's up to us to take creating and entering them from a heist to a walk in the park.