Why Can't We Get Along? Security and User Experience
This essay was written for a college assignment. Students were to write a commentary on a social issue of their choosing. An 800 word limit was enforced.
As more people get their own devices and go on the internet, they become increasingly reliant on the services it provides. Proportionally, security and user experience become more important, and better implementation of each becomes more common. Sadly though, it would seem that user experience and security are more often than not at odds with each other, creating a zero sum game that is nothing more than an eternal tug of war. Typically implemented security is about presenting barriers to a user while typically implemented user experience design is about removing barriers to a user. To truly understand this complex relationship, we need to examine each more closely. The best security, simply put, is a system that can guarantee the information it’s guarding allows access only to those that have permissions to view it. While security has always been important, the need for it increases as more people add increasingly personal and unchangeable information to a system. From the microscopic level of someone’s family photos and social security number, to the macroscopic level of consumer information leaks as serious as the leaking of the Panama Papers, it’s clear that good security affects everyone on every level. But if it’s so important and pervasive, why isn’t it actually executed properly enough so there isn’t a new hack every other week? Besides “zero day exploits” that any system is prone to (as no system is perfect) as well as social engineering that preys on the fault of the system operators, a tangible valuation and point of diminishing returns is difficult to determine when a business invests in security. At what point is a system’s security “good enough” to stop investing in, and what if that “good enough” isn’t enough for the future? As the security industry grows and every part of a company is aware of what part they need to play, security will continue to get better.
Is there any way to truly know if you’re not a robot? Trust Captcha. Captcha knows.
Unlike security, user experience design is a less known concept to the average person, simply because the best user experience is the one you don’t have to think about. A good user experience doesn’t require that a user to read explicit directions in order to operate their application, makes all features easy to find, and makes the user confident when using the application (ie, the user isn’t intimidated or scared away). User experience design gets more popular and important as more people use electronics. Before personal computers existed and became commonplace, only people with special training were able to use computers. User experience wasn’t a priority, because there would be a guaranteed, specialist, trained user base. Especially with the rise of smartphones, laptops, and tablets, the application with the best user experience is the one that wins the common user. Apple’s marketing emphasizing their claims that their products are the easiest to use on the market set them apart from the crowd initially, and still does today. User experience isn’t a simple thing to design, either, people act unpredictably and have a knack for not using applications the way they were intended to be used in. A task requiring a user to go from point A to point B may be achieved by the user by going from point A to point Z to point D and then to point B. Because of this behavior, user experience design actually requires multiple phases of user testing combined with knowledge of fundamental principles to optimize.
Oftentimes, security is easy to pick out and annoying to work through. Remember when you had to decipher that near-illegible CAPTCHA challenge or had to wait a certain amount of time in between failed log-in attempts? None of that is any fun, but those actions keep your account secure. Now, do you remember misspelling your email and being told the email you entered doesn’t exist in the database or realizing you had entered an old password after the system explicitly told you so? These experiences make you feel more confident you’ll get the right credentials eventually, and empower you to continue; a great user experience. However, they create security flaws by giving the hackers hints to narrow down your information as well.
Thank you, Facebook, I feel safe knowing that a hacker could use this information well too.
Perhaps the biggest obstacle to security is that people don’t care enough about it to accept stricter authentication requirements. Asking a user to do more tasks besides enter a password and pass two-factor authentication for a single log-in cycle (a cycle to be repeated each time someone decides to log onto an application) is too demanding. This is actually where a good user experience would shine. This experience wouldn’t be giving hints to hackers, but instead would make users feel better throughout the process. This could be accomplished by telling them why what they’re doing is more secure (and why that benefits them), adding polish on the looks of the interface, or even by telling them that they’re awesome people. Security and user experience need not be enemies, as with anything, the key to making them work together is compromise.