Implementing online security is ultimately a human undertaking. The tools have to be sufficient enough to protect you and your clients, but efficient enough not to get in the way of providing the best user experience possible. While technology will get you part of the way, the inevitable corner-cutting by users will ultimately expose the notion that technology cannot provide total protection against our human nature.
The Username/Password Combination
For example, historically the username/password combination provided both authorization and authentication in one convenient package. For earlier systems, not open to the public and only providing access from a well-defined physical location, this was a great solution. It quickly became apparent, however, that users are terrible at remembering some random password; they forget to change it every 90 days and would rather write it down.
The technology, as always playing catch-up to its users, quickly evolved into password-strength measuring libraries and automated functions to force users into changing their passwords. As a typical example of leading with technology and not considering the human factors, the resistance from end-users was palpable. Many of us remember the passwords on sticky notes on someone’s monitor, or the easy to guess (and pronounce) ones that were shared around the office.
Improvements are being made continuously, both technical and behavioral fronts. Users are much more aware of the need for proper security. Businesses with an online presence spend significant amount of resources on protecting their infrastructure and their users from a growing variety of threats. Administrators are much more vigilant on implementing security protocols that are harder to circumvent by both internal and external users.
The Use of CAPTCHA
Not too long ago, CAPTCHAs were the new favorite technical solutions against hackers trying to break into high-value targets. The wide-spread use of sophisticated UI interfaces over the Internet allowed this visual password system to be used in many circumstances.
While it works in most implementations, there are shortcomings – again, based on human factors not anticipated in the initial design. CAPTCHAs do not work for people with certain physical limitations or cultural backgrounds and will not just limit unauthorized access, but will prevent legitimate use as well. Given the global user-base that most businesses are trying to target, these limitations will not be appropriate. The visually impaired or recent immigrants trying to access their first bank account will face enormous difficulties trying to decipher the requirements that this type of gatekeeper demands of them.
Relying on Senses as a Means of Security
A security implementation that relies on one of the user’s five senses or memory ultimately will hit the limits to which any particular user is able to employ them. Perhaps an online photo album does not need the same level of protection as someone’s access to his or her bank account? Perhaps Facebook and Google need to implement two-factor authentication for all their online properties? These questions can only be answered calmly and methodically by considering the needs of each user that comes in contact with the system.
All businesses need to conduct a pre-purchase discovery with these questions in mind. Design professionals need to focus on the interactions that result from a variety of behaviors and pick all the tools that are appropriate – including those for security and protection. Human-centered design thinking is a necessary augmentation to the limits of technology. The awareness of how and why certain interactions are implemented, the understanding of the benefits, has the potential to counteract those hard to control behaviors from which technology alone has no chance of protecting any given system. Human-centered design has the capability for a longer lasting impact than a simple certificate and encryption protocol between a browser and a server.
The Use of Two-Factor Authentication
An example of a purely technical, or rather mathematical solution is two-factor authentication. Random, single-use tokens combined with strong password requirements are becoming widespread. With current technology, it is impossible, or to be more precise, almost impossible to break. However, it is the lack of consideration for human behavior that is this solution’s flaw. While it fits into the established and understood process implementation of username/password paradigm, it adds more complexity – not necessarily what the average user desires.
Using a Reminder Question
Another recent approach, still employing the additional complexity to slow down a brute force attacker, is the “reminder question” type of security. In addition to the username/password, some common question is asked, the answer to which the system presumes only the user would know. However, a disgruntled friend or family member or a social media “friend” can easily find out the name of our first pet or the high school we graduated from. Again, this demonstrates the limits of technology and how it cannot cover all the intricacies of human behavior.
Security Lessons Learnt From Experience
At the company I work for, Story+Structure, we are convinced that the solution to these issues lies in the combination of the strength of currently available technology and the trust building capabilities of a human-centered design approach.
One great example, originally from the banking industry, is the Know Your Customer (KYC) process. This interaction, specifically for the benefit of the protection of the customer, is technology agnostic. It requires certain steps from a service provider to take with each of their customers before engaging in any sensitive business. Its benefit is validated by corresponding legal mandates. In the banking sector, training has to be provided and certain requirements have to be met, before any employee can engage with a potential or existing customer.
Similar procedures are in place, in combination with technology, when fraud protection departments stop certain large item purchases. In today’s fast-paced retail environments, this could be seen as a mistake. It is the designer’s role to explain why it is worth the frustration and that after the initial confusion, the understanding will lead to a better experience and a stronger relationship. Technology that enables this type of protection cannot adequately address all the human emotions that are in play. Designers, however, can, and a holistic view of the entire interaction ecosystem allows them to incorporate security into their approach toward a solution.
In conclusion, the online security process must evolve to consider human components – not just technical safeguards. The human-centered approach, such as formulating a holistic view of the workflow, understanding the customer’s real need and through this discovery helping them notice out-of-the-ordinary activities, helps organizations protect their users by being mindful of who they are, what they need and how they operate. Not just for a better user experience, but as part of a comprehensive protection against errors (malicious or otherwise).
Want to learn more?
Want to get an industry-recognized Course Certificate in UX Design, Design Thinking, UI Design, or another related design topic? Online UX courses from the Interaction Design Foundation can provide you with industry-relevant skills to advance your UX career. For example, Design Thinking, Become a UX Designer from Scratch, Conducting Usability Testing or User Research – Methods and Best Practices are some of the most popular courses. Good luck on your learning journey!
(Lead image: Depositphotos)