When designing systems, it is crucial that the end users, whether they are customers, employees or other users, enjoy the experience of using the system. If they are confronted with an interface that is difficult to use, unresponsive or confusing, they are unlikely to want to use the service again and may go elsewhere. This is particularly so if the system has poor accessibility affecting users with certain disabilities. However, this is not only relevant to the core functionality that brought users to the service in the first instance, but it also extends to the features that are important to the user although not core to the business itself. Security is a prime example of this. Despite security being an important feature of many services, if the registration or authentication process is considered unfriendly, complex and slow, users are less inclined to want to continue their journey.
Unfortunately, there is a paradox here: the users want guarantees that their data is secure, but they are equally insistent on a frictionless security journey. Likewise, the service providers are also faced with opposing requirements: they want to deliver new features or products quickly to maintain a competitive edge, but they are equally responsible for ensuring that delivering new functionality is done in a secure way, which can often slow down the delivery of these functional improvements. Engineers are not only tasked with meeting the commercial needs of the business, but they are equally tasked with meeting the requirements defined within the organisation’s security policy. Ultimately, organisations have the moral obligation to keep their users’ data secure, irrespective of reputation or compliance and regulatory requirements.
So, there are two goals for security: first, it needs to give users the confidence that the service is secure, without impacting the user experience negatively; and secondly, it needs to be baked into the entire delivery lifecycle in order to reduce the risk of inadvertently introducing vulnerabilities and threats that could impact the user. Much has been written about the role of security in engineering, but in this article, I would like to focus on the role of security within the user journey.
Frictionless security is a term used to describe an interaction a user has with an authentication or registration journey requiring minimum effort on behalf of the user. For example, while registering on a website the user expects a simple process. For example, the journey should not involve inventing unique usernames that can be easily forgotten – an email address will suffice. Users are often put off by overly prescriptive password formats that require lengthy words or phrases containing combinations of symbols, letters and numbers. These can also be difficult to remember. In some cases, websites request cognitive passwords such as the user’s first pet name, mother’s maiden name or first schoolteacher’s name which are used to recover an account if the user forgets their credentials. These are cumbersome and unnecessary. In many circumstances, a user only expects to authenticate using a biometric feature such as facial recognition for fingerprint to access authorised services or use of a token sent to a mobile phone to recover an account
Some services, such as online banking, may require more stringent security than other services. However, even in these cases, the user’s expectation is a journey requiring the least amount of effort. Registration should allow the user to prove their identity quickly and securely, while authentication journeys should be simple and quick. Finding the sweet spot between usability and security is important: too much security at the expense of usability will frustrate the user; not enough security to improve usability could leave the user’s data vulnerable.
There is a third parameter in frictionless security which has to a large extent been pushed down the list of priorities yet requires some attention. In addition to usability and security, there is also accessibility. Although many users are able to follow security journeys with relative ease, there is a significant proportion of users who are hindered by various types of physical impairments. These conditions are classified under three different categories: perception, operation and understanding. The lack of perceptive ability means a user is unable to see or hear clearly. When viewing websites, a user with these types of conditions is unable to distinguish colours or images, such as red versus green password strength indicators due to colour blindness or see Captcha images clearly due to poor eyesight. Operational disabilities involve the inability to perform simple tasks easily affecting users who have physical conditions that prevent them from typing on in-screen keyboards or using their fingerprints for example. Finally, the lack of understanding are conditions where a user is unable to perform mental tasks easily and may result in a user unable to remember passwords or passphrases easily. These are just some examples of accessibility concerns relating to security, but the key point to note is that many users have some form of disability affecting the way they interact with a security journey and this must be factored into the user experience design. This is particularly so for older people representing a large proportion of online users.
Within DevOps (and therefore, DevSecOps), focus should always be to improve outcomes for the customer, whether they are internal customers or paying customers. Over the past few years, the emphasis on developing secure systems has emphasised the need to engineer products securely through the use of secure development practices such as security code reviews and automated security testing. These are within the context of an organisation. However, we must not forget the security implications affecting the core customer. Although users expect organisations managing their data to be secure, they also expect an easy security journey. However, if you throw disability into the mix, finding a happy equilibrium between usability, accessibility and security is a challenge.
When designing security journeys, it is essential that friction is reduced to a minimum without compromising security. Therefore, all users’ abilities must be considered. Their cognitive, physical and perceptive levels must be factored into design, development and testing processes to create inclusivity. In particular, it is important that security features offer a satisfying and rewarding experience to all users.
If you’d like any more advice about how to seamlessly integrate security within your user journey development cycles or you want to strengthen your team through our access to subject matter experts to help instigate the change your business needs to thrive, please contact us.
Glenn is an associate partner at Investigo, part of our Cyber Security Practice as an experienced DevSecOps and Agile security consultant with a background in software engineering, Agile frameworks, DevOps and cybersecurity. He is author of DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement.