Why users want the right thing but do the wrong thing
User experience // When it comes to security-critical systems, users are unquestionably part of the problem. But when it comes to the solutions they are pretty much left out of the equation. Are they an incalculable risk?
Security and the user experience are often seen as opposing forces. If the user experience is strong, security is weak, and vice versa. According to widespread opinion, that’s because of the user. Users don’t stick to the instructions, they don’t use secure passwords, and they disregard security advice.
Even “forcing” users to set up a secure password by requiring certain characters doesn’t guarantee that they will use it as intended, as the following example demon-strates. Instead of memorizing their secure but complicated password, some users will use the “reset password” option every time they log in. Inputting their email address and a new password that they have no intention of remembering, they satisfy the password requirements, but in the wrong way. The list of violations is long, and ranges from passwords such as “forgot” to screenshots of sensitive data, through to masking proximity sensors on mobile terminals in hospitals in order to stop getting logged out.
When users get “creative” and act against their better judgment, they do so not because they are ignoring safety concerns but because they want to make access as “fit-for-purpose” as possible – from their point of view. Even the most popular password, 123456, still remains a password. And as long as nothing happens, nothing seems to be wrong. But users don’t make rational decisions by logically weighing up the options and then selecting the most secure. They prefer simple, practicable solutions that match their cognitive capabilities. And complicated, twelve-character passwords don’t fit the bill.
A question of perspective
Developers and users come at the topic from different angles, internal and external. One tries to protect the system from the inside so that people can’t just sail right in; the other wants exactly that – quick, easy access. This contrast is often expressed in the choice of words. Users are asked to log into a website under the instruction “Sign in with SSO-2FA”, and then get a message on their phone via the authenticator app stating that “Somebody is attempting to log in with a push notification”. They have to agree to this almost hostile intrusion by hitting “Confirm”.
What is missing from this scenario is the user perspective. Sometimes words are enough, in the above case simply saying something like: “Welcome to your secure workspace! Please open your personal access.” And the app pops up: “Hi Christoph, please confirm your access.” Which I can do with a simple “OK, everything is fine.” Not only does this sound friendlier, but it also gives users a sense of security, which they can control and take responsibility for.
Particularly when communicating security instructions, users are often overlooked. It really does make a difference whether the browser reads: “The domain you are trying to access has an invalid or expired SSL certificate” or “The website you are visiting is not secure”. If you don’t put users in the position of making a security decision, you can’t expect them to behave in a secure way.
“Welcome to your secure workspace! Please open your personal access.”
Secure is what is practicable
Security and the user experience are inextricably linked. Or as Angela Sasse, Professor of Human-Centered Security, puts it: “If it’s not usable, it’s also not secure.” And it’s precisely because users are part of the solution that the balance between security and the user experience should fall in their favor. A security concept should always ask the question: Where is the user willing to reduce security in favor of productivity? The recently established research area “usable security and privacy” looks at precisely this issue. The research focuses on understanding user behavior in security-critical contexts and designing security solutions that are built on exactly this foundation. Solution approaches are put into two groups: with and without users. The former focuses on better interaction; the latter deliberately dispenses with this, and explores authentication using findings from behavior biometry.
Security needs to be fun
To improve interaction in practice, it helps to understand security not merely as a technical concept, but as an integral feature of an application. This automati-cally poses the right questions: Do users understand the feature? Can they use it easily? Does anything in its performance present a stumbling block? The user experience supplies the answers by taking the same approach to developing security as to any other good feature: user-focused and iterative. Product quality isn’t the only thing tested; user quality is expressly tested too. The security mechanisms need to meet the following criteria: context coverage, satisfaction, risk communication, efficiency and effectiveness. In future, the aim when it comes to security must be not to see the person as the risk, but poorly-made software.
Long-term, this will lead to users clamoring for it – not because it’s secure, but because they like it. In reality, the contradiction posed at the start of this article is an inevitable interdependence: if the user experience is strong, so is security. Still wondering how I know a strong user experience in security when I see one? – It’s when, after logging in, I feel myself wanting to log out again so I can repeat the process.