Designing Secure Experiences

When a user opens Facebook, he wants to post a picture. When she logs into her bank, she wants to see her balance. For our users, security is not front of mind. If it gets in their way – they’re likely to look for a shortcut or skip it entirely. And yet, we consistently push security decisions to users, ranging from passwords to security warnings, usually resulting in an experience that’s neither usable nor secure.

In this talk (written in partnership with Guy Podjarny), Rachel will show examples that aspire to solve the problem, share best practices, and discuss how to provide a secure experience that doesn’t alienate users.

slides []

There is tension on the web between security and usability. Everyone agrees security is important now more than ever, and we are exposed to instances where poor security has led to disastrous result. Yet we consistently leave the responsibility for security decisions to the user, letting them choose weak passwords, store them unsafely and expose them to third parties.


At the same time, users simply want to access content on the web, whether it’s posting a picture to social media or checking bank balances, without endless obtsacles getting in their way. They are aware of the need for security but they don’t want it to get in their way.


With a bit of insight, empathy and technical knowhow, it should be possible to provide a secure experience that doesn’t alienate users.


We think of security attacks as being complex and sophisticated, but in reality breaches are often the result of asking users to supply their passwords or working out insecure passwords.


Passwords are hard. People forget them, write them down, make them easy to crack. While each password’s requirements (unique username, unique password that meets policy requirements and is memorable) doesn’t seem that hard, the number of accounts requiring passwords complicates things.


In his web comic xkcd, Randall Munroe said, “We use passwords that are hard for humans to remember and easy for computers to guess”. He’s right and we need to address that.