How to Balance Security and User Experience [in this Era of Cybercrimes!]
As per Mckinsey, cyber crimes cost the global economy around USD 445 billion.
The threats have shifted from companies to targeting individual accounts and information. Now the end-user at home is becoming the conduit to the invasion attacks on the companies.
We are very familiar with SIM port hacks. Considering that Jack Dorsey (CEO of Twitter and Square) lost his accounts, we should be pretty scared. Brilliant individuals have lost money and data through fraudulent attacks. To beware, most of those attacks weren’t sophisticated technical hacks but more simple mind tricks.
Users are becoming more aware of and want to share the data they are sharing. This hesitation leads to users leaving products where they feel their data might need to be more secure.
So, for all product developers, security and building products that convey that the user presence is secure with them while providing optimal user experience are of paramount importance.
I’d like to find a strategy you can follow to balance security and user experience.
Start with the “personas.”
Trying to club a 20-year-old with a 40-year-old and someone in their 60s isn’t the brightest idea. We all know the differences in taste and requirements of the groups, yet we don’t see products tailored to each persona.
Let’s look at the pain points of each category.
Nowadays, a 20-year-old, let’s call him Shan, will have trouble remembering his username or password. Also, Shan doesn’t want to do so. He gets agitated if asked again. He is also present on multiple platforms, making it even more difficult to remember all the multi-factor authentications he signed up for and the phone number he used for each. Then he might be traveling and using the internet, or a device in another country might lead to more authentication requirements frustration.
How about Mona, a 40-year-old working at a medium-sized corporation? She is working hard to balance her personal and professional life. She doesn’t have the energy to stick around for the complicated signup and sign-in processes. To make things easy for her, she would give the password and username to her daughter or a colleague to get the job done. For her, time is a considerable asset, and getting things done matters more than the best and most secure way.
Now let’s hear about the Howard troubles. He is 65, just retired, and has worked hard to understand the online platforms. He uses the internet for filing healthcare claims and connecting with friends and family. He might be using the same generic credentials for all the media. For him, reconfirming his identity and being interrupted is a huge issue. At times, he might have trouble remembering or logging in. Then he might need assistance, so that I would be calling and share all his info.
Product developers are killing the user experience with added security layers. Before we jump to that conclusion, let’s look at the “hacker journey”?
“Hacker’s journey” trying to exploit a user.
Jim (a product developer) decided to facilitate users and allowed many login attempts. The hacker identifies this loophole and uses large-scale automated requests to get the proper credentials.
Jim also wanted to let go of identity-proofing and device recognition. This helped the hacker to use social engineering to build a fake account that looked like the exploded user’s one and redirected links to that account. The password reset option is with the hacker.
Now, the hacker can access all the account settings and do whatever they desire.
Hackers can redirect the payments to another fraudulent account if it’s a financial account.
This loophole happened because Jim tried making the user experience fun and easy by removing the re-authentication requirements for such transactions.
Also, Jim wanted his user to stay logged in, and through that device, management might not be of use to his ideal customer. But what this meant for hackers is that they could continue to utilize the account till discovered.
How to balance security and customer experience?
Let’s look at some security measures needed for customer life cycle management.
The process starts with user registration; user account setting with associated changes; multi-factor authentication and its preferences; deactivation; reactivation; account closure; session management; lock-out policies, and so on. All these measures are necessary and a must. But can lead to severe issues with user experience.
Let’s look at some strategies that balance experience and security.
Passwords
You can develop a firm password policy, and it’s now a defacto for users too. So, in this case, there is no compromise regarding user experience.
Let’s look at the case of password reset. With this use case, do you give the option to the user or make it a strict time-based decision?
Here a good strategy is to design rules that are based on your user persona. For someone who uses a platform daily and there is abnormal activity, there is no need for a time-based password reset. And in case where you detect fraudulent activities, a password reset will be loved by all of your users.
Device recognition
For device recognition, the balance is between time and what’s the best threshold to re-authenticate a device. You can set it to 1 day, to 30 days, to a few hours.
Again, intelligent product designing might require you to ease out customers who are always moving.
But you can be careful with the high-risk users.
The nature of the application helps you come up with the right mix of policies.
Sessions
Here you are also grappled with the option of timing. Do you push for strict timelines and make people refresh if they need to extend the session? Or do you let it loose, and people might be able to interact more with the app for a more extended period?
Again it would help if you looked at the application type and the persona that is using it.
Bothering physicians to refresh applications while taking the data and stat of their patients is a terrible idea. Even though the information is critical, your users need time.
Multi-factor authentication
Generally, giving users the option to select MFA and the option of using voice, text, or email is the best way to proceed.
From a strict security point of view, you can enforce MFA, and a user can only proceed after the identity verification process. Yet, that isn’t an ideal case for all the subsets of your users.
How about you give your users options and suggestions for implementing MFA? Those who find it bothersome can choose not to opt-in. And others who are looking for strict security can choose the recommended best option.
Re-authentication
As a product designer, you can be pretty lenient and let the user only re-authenticate when the user is updated the billing or payment address. On the other hand, you can make it strict and make users authenticate for each transaction.
The best way forward for you is to use a method of detecting abnormal policy and couple that with reactivation for susceptible data transactions.
Account Locking
In this case, your read about the fraudster’s user journey, where he utilizes brute login attempts to steal the data. A strict security policy will lock out such an attacker. But what happens to someone who keeps on forgetting the password or finds it hard to type on a smaller device?
You can use Apple’s lock strategy. Apple lets its user attempt a few times to login before forcing the user to a soft-lock out for a small duration. And then keep on increasing the lock-out duration after multiple such attempts.
Account Deletion
To prevent any hacker from deleting your account after stealing the info, you, as a product developer, can request strict conditions to be met. The state that might result in account deletion is verified personal data privacy request or fraud.
On the other side of this continuum, you can let a user quickly and seamlessly delete the account and all the associated info.
We suggest that you ensure strict termination requirements to prevent any malicious attacks.
Account Deactivation
As a product designer, you must balance the long-dormancy allowance and let the user seamlessly log in where needed. Or shutting a user out after some time (e.g., 6 weeks)
We suggest having reasonable thresholds based on the user persona.
Another suggestion is always to check if there is no fraudulent activity and if the credentials aren’t compromised.
Summing Up
Balancing user experience against strict security measures is a difficult task.
In the case of services, where the authentication is easy, customers use 10–20% more of the services. And such users spend 45% more than the occasional users. So, as a product designer, you are constantly pushed to ease security measures.
Also, implementing security costs money. The associated digital infrastructure and services account for high costs. Offline support adds to such expenses, too — even password-reset inquiries take up 6% of the call center time.
But more and more customers need to trust digital services. Their perception of data security is worsening. With Facebook’s changes in the policies around data gathering and the consumers’ worries about privacy invasions, cybersecurity and privacy are becoming a huge topic of discussion.
Companies that have successfully balanced user experience with top-notch security measures are enjoying 25–30% more customer satisfaction scores.
So, balance is a must. It would help to keep your customer personas in mind while balancing experience and security.
It would help if you balanced convenience and trust.
— — — — — — — — — — — —
Part of App2Dev.com Publications
