Have you ever used the same username and password for different applications or programs online? Or, have written down a password you created for an online application or a website? The chances are that you probably have, and you’re not alone in it.
Recently, while researching information for this article, I conducted an online survey with a series of questions regarding participants’ passwords habits. A hundred participants from the United States, New Zealand, and Europe responded, and their answers were amazingly similar. It became evident to me that a user will try to simplify complex tasks they perform online, including those that are relative to their data and identity protection.
There is no question of how important security and data protection is. The point of my discovery is that even in the most secured application with many layers of protection, there is always a point when a user interacts with the app:
If security requirements affect User Experience in a negative way, making it either confusing, or unintuitive, or annoying – then users will try to simplify their task to avoid the complexity and confusion and will act in the way that will make the security of their data, and the application itself weaker.
With technology evolving quickly, there are new security demands for organizations’ security model today and “doing it right”, considering patterns of human behavior and actual users’ need would result in improved security and a better User Experience.
So what is there to consider?
1. Multi-device world: alert users when the usual pattern of their behavior changes.
Going back to the survey results, there was a question about applications which provide the most convenient and secure login experience and what sets them apart from other apps. There were a few apps specifically mentioned. One of the desired security features those apps have was the automatic notification of their account sign-in on a different new device.
In the modern world, it’s the user identity that becomes important to defend against network intruders. And this is especially foremost in the time of sharing user’s data on multiple devices and cloud accounts. “Businesses must now be able to authenticate highly distributed identities from different sources” points out Charles Cooper, AT&T business magazine, and this is one of the major trends in securing users identity.
The system’s ability to recognize user’s tendencies and alert users when the usual pattern of their behavior changes is not only a necessary requirement for multi-device and cloud applications but also functionality that is desired by users.
2. Passwords: hard to guess but easy to remember. (And don’t rely on passwords alone.)
According to NIST (National Institute for Standards and Technology), 81% of hacking-related breaches leveraged either stolen or weak passwords.
You could probably name a handful of applications that would force their users to follow requirements to have a mix of uppercase letters, symbol, and numbers in hope to improve the security of users’ data. And you probably worked at or know companies that force their users to change their passwords periodically.
But the truth is that neither periodic password changes, nor the arbitrary password complexity requirements prove useful in preventing breaches. It is the other way around, and those requirements are actually counterproductive to good password security: enforcing wrong rules will make users avoid them. That is why the new NIST guidelines recommend just this:
- Remove periodic password change requirements.
- Drop the algorithmic complexity song and dance.
NIST also recommends:
- Don’t rely on passwords alone – verify the identity using a second device (MFA) wherever possible.
- Don’t limit password length – users should use phrases with multiple words so it would be difficult to guess, but easy to remember.
- Most important accounts should have a unique passphrase.
3. Design for behavior.
Cognitive science research has shown that the human brain is wired in a way that makes us receive positive information as more relevant to us than negative. Simply, it’s in the human nature to think that nothing bad would happen to us. And that’s why most of us, knowing the best security practices, will still follow less-secure habits and patterns (remember, the survey results I mentioned at the beginning of this post?).
Ben Tomhave, the author of the “Design For Behavior, Not Awareness” article points out that if “a new control requires that the “right” choice be made, you must then apply behavior design to the project, or risk failure”. He also adds that “research has shown time and time again that telling people why a new practice is desirable will greatly increase their willingness to change.
4. Warp drive your security professionals.
Every few months all developers in my company’s IT department are obligated to take security training. The training focuses mostly on the technical aspects of security development, best practices, industry standards and such. With the evolving threat landscape and rapid development of new technologies, there is a high demand for security professionals to move fast and be on top of industry standards. This way you won’t end up in the situation when even after NIST released the new guidelines, your security training points to old practices and requirements.
Improving security of an application means not only adding additional layers of protection but also implementing security-focused architecture and security-focused user experience that will connect technical aspects of security with the way users interact with the product.
References and interesting resources:
- NIST: Digital Identity Guidelines (PDF).
- NIST (National Institute for Standards and Technology): Password Guidance from NIST (video).
- AT&T Business: 4 trends in securing employee identity (article by Charles Cooper).
- ProtonMail blog: Online security guidelines for journalists.
- Co.Design: Security Vs. UX: How To Reconcile One Of The Biggest Challenges In Interface Design.
- Ben Tomhave: Design For Behavior, Not Awareness
- Trends in cognitive science: Forming Beliefs: Why Valence
- Elevate Security: How much is enough training?