Secure digital products don’t need to suffer from poor user experiences

Anthro-Tech regularly takes on projects with large, complex organizations that not only serve millions of users, but also house important, private information for those users. That means we’re frequently tasked with incorporating strict security measures seamlessly into the user experience of these systems.

A-T user-centered design consultant Camy Naasz regularly tackles this issue with our clients. Below, she highlights the considerations in creating a secure experience that doesn’t impede the user.

Q. Can you break down some of the issues with creating a security measure that also is user friendly? What is the “security challenge”?

When we design ways to keep online information secure, we must recognize that getting through our security is never our user’s primary task. We want their data to remain secure, so we must make the process as quick and easy as possible. If it’s too difficult for someone who is supposed to have access, they will create workarounds that make it easier, like writing down a password and putting it under their keyboard or allowing their browser to remember and store it for them. This ends up undermining the security measures, making the product more susceptible to breaches. The challenge is to balance technical security requirements with usability requirements to help authorized users enter and to keep unauthorized entities out.

Q. What is multifactor authentication (MFA)?

Whether someone is granted access to specific data is determined in the access control process, which is based upon three steps:

1. Identification (“I’m Jane”)
2. Authentication (“It’s true, you are Jane”)
3. Authorization (“I see you are Jane, and you are allowed access to this information.”)

Most online authentication is accomplished using a single authentication factor; a username and password. To gain access to data protected this way, you must simply know the username and password. But as we have seen, even if you don’t share your username and password, they are ways people can steal them from you. Multifactor authentication introduces another layer of security that isn’t something you know, but rather something you have in your possession, making it much more difficult to steal.

Q. What are the available types of authentication factors?

There are four types of authentication factors.

• Knowledge: Knowledge-based authentication (KBA) requires users to provide information to log in (username, password, PIN, or answers to secret questions).
• Possession: Requires users to prove they have something in their possession that the system knows is theirs (a device [phone, PC], a hard token [USB or stand-alone], an ID card, etc.)
• Inherence: Using biometrics, the system can prove you are who you say you are (retina or iris scan, fingerprint scan, voice recognition, facial recognition, etc.)
• Context: Also known as Adaptive Authentication, the user’s context of use (i.e., time, location, device, browser) is checked against a stored profile. If it matches, the user does not have to do anything. If not, they must authenticate their second factor using another type.

To be considered multifactor authentication, the security solution must combine factors from two or more types. For example, requesting a password and sending a code to the user’s email address would not qualify as multiple factors because they are both accessed using something you know. Remember: The challenge is to make it hard for someone else to pretend to be you while also making it easy for you to prove it is you.

Q. What are the methods and best practices for making MFA a good user experience?

• Recognize that extra authentication disrupts users’ tasks and ensure they understand why the security is necessary.
• Provide multiple options for completing the second factor so that users are more likely to find the one that works for them.
• Provide back-up methods, like phone numbers or codes, to support users who lost access to their primary method, (i.e., are away from their phone or lost their token).
• Provide clear next steps for users and staff when authentication fails so that authorized users can correct their mistake and get back to doing their task.
• Help prevent unauthorized access by proactively notifying users of access attempts and failures.
• Ensure each step in the authentication process meets accessibility requirements.

Q. Which companies are doing MFA and what are the trends?

Many companies are now offering multifactor authentication security on the data they provide online. Government organizations, financial institutions, healthcare companies, online storage companies, and social media have largely adopted multifactor authentication to keep their data more secure. Typically, companies use username and password as the first factor (knowledge) and offer an optional second factor (to their customers who choose to enroll), where they send a code via text message to your mobile phone (possession). Some companies are exploring ways to eliminate the security code from the process because of its usability and security issues. Requiring users to copy the code introduces opportunities for mistakes, and there is a security hole created when the code is sent via cell service where it can be intercepted.

As technology evolves, so too will our methods of keeping data secure. Case in point: We’re seeing more companies trend toward biometric measures. Mobile phone and computer manufacturers are increasingly incorporating fingerprint and now even cutting-edge face-scanning technologies that provide a more secure environment while maintaining a relatively simple and streamlined user experience.