The Road towards a Secure User Experience

By Jenny Yang, Security Architect, Versent

Traditionally security has been perceived as a barrier towards a positive user experience, but over the past decade end-user expectations have been slowly shifting. This has been driven by the wider industry and large organisations including Google, Facebook, UX design consultants and security professionals.

If we open our current banking or email app on our phone, we expect both security and a positive user experience. Give us one without the other and you can bet that as customers, we will be looking elsewhere for a better solution.

Identity and access management

A customer’s identity is the treasure trove most hackers and cybercriminals look for. When signing up for something, many of us naturally opt for the easiest most convenient solution, which is just to re-use an old password that we have had for several years.

The adoption of social media platforms towards the mass market in developed countries has driven a significant increase in the development of an online social or personal identity. Often these platforms, take Facebook or Google for instance, have become the entry point to other services

One of the greatest improvements in user experience over the past few years has been in the login process. The mechanism by which we identify ourselves and gain access to our accounts is evolving. With emerging technologies such as biometric authentication, user behavioural analytics, identity as a service, these tools are breaking down the barrier towards a more technically secure and frictionless user experience.

Build trust with customers, and encourage them down the right path

Businesses need to cater for the simplest user, to understand the true risk at play. Businesses should encourage users down the right path, by making the default, the secure option. Clear indications with limited alternative options will encourage users to go down the right path.

In doing so, users will develop a higher level of trust with the organisation. Though use this sparingly, as false security warnings will undermine credibility and users will be subject to warning fatigue i.e. ignore your security warnings.

What can be incredibly damaging to an organisation, is if a customer finds out that the organisation has been compromised. From an ongoing brand value, this can cause irreparable brand damage. In this day and age, consumers expect their data to be secure through all interactions. And when there are so many options out there, it’s easy for them to make the switch to another service provider if they are dissatisfied.

User experience and security teams must work together, not against 

If you want to release a new product – you need security and user experience in the room talking to each other. User experience doesn’t usually sit with the security team. Instead, security is seen as a check point exercise, and another hurdle to going ‘live’.

A CIO or another key decision maker might be passionate about a project, and then if someone in security says there is a risk they will pull the plug.

Both user experience designers and security consultants need to get better at working together from the start - only then can security become an enabler.

Automation is key for a solid foundation

Often the most effective security controls are transparent to the user, with developers working behind the scenes. Great software developers strive for a stable foundation. While functionality is often at the forefront of the developer’s mind, as it should be, even the most technically skilled developers can make mistakes.

To start with a solid foundation, automation, secure code quality and security controls such as black box testing and automated scanning tools that can check for code coverage and code quality will equip developers to produce better code over time. It also provides a standard baseline the development teams can work towards while maintaining a secure code posture

Automation is a key enabler for making developers lives easier, and is better for scalability. For example, Atlassian is a software development company where millions of lines of code are deployed each week with only a handful of security engineers, which wouldn’t be possible without automation.

Security doesn’t need to sacrifice user experience

User experience and security can no longer be portrayed as a trade-off or a binary option. The balancing act between user experience and security is challenging, but if the intention is to design for the user, then protecting the user must be a key priority.

With new technology and innovation at arm’s reach, we can slowly look at closing the gap between user experience and security. In the long run, a business that focuses on both user experience and security will build a product that a customer can trust and believe in. Operating in a competitive climate, customer loyalty and retention is more important than ever before.


Tags identity managementAutomation ToolsVersent

Show Comments