The 1992 film, “Sneakers,” with its bonkers collection of actors (Sidney Poitier, Robert Redford, River Phoenix, Ben Kingsley, Dan Aykroyd), managed to make a thriller out of Internet security. Post-Soviet hackers, digital espionage, rogue cryptography—it’s all there. One worthwhile line from Cosmo (Kingsley’s character), beckons in a new age of data-as-power:
“The world isn’t run by weapons anymore, or energy, or money… It’s run by little ones and zeroes, little bits of data.”
Later on, the cost of that data (securing or stealing or destroying it) drives otherwise sensible characters to corruption—even cold-blooded murder. “Sneakers” will be remembered as a cautionary tale for the Internet age and a pretty decent flick!
More recently, but with no less urgency (Okay, just a smidge), a report from the The New York Times “Bits Blog” reminds us of what hangs in the balance with Internet security (“Reinventing the Internet to Make it Safer”). The infrastructure of the early Kahn and Cerf-designed Internet—an infrastructure that has remained virtually the same since—is the reason for an inherently insecure online environment, says MIT professor and A.I. researcher, Howard Shrobe. Everything was designed to share in an uninhibited way, so keeping bad guys out has been a matter of ultra-complex alchemy on the part of programmers and designers. Shrobe is trying to understand what we can do to become truly secure online:
“Everything was built with performance, not security, in mind,” Dr. Shrobe said. “We left it to programmers to incorporate security into every line of code they wrote. One little mistake is all it takes for the bad guy to get in.”
Our security woes, Shrobe says, lie in the framework and, even the interface of our Internet. So, the pioneer has worked for decades to forge a ground-up Internet redesign, security above all else. A self-aware and exponentially more safe Web would be pretty rad.
But until then, let’s dive into a light history of Web security so we can understand its evolution and future-proof ourselves, and most importantly, share some solutions and insights to help you implement common, secure design elements that are user-friendly. Proving that security and good UX don’t have to be at odds with one another.
- A light historical overview of Internet and Web security’s evolution
- Workarounds, CAPTCHA alternatives, location service ideas
- How to better communicate expectations to users regarding security
- How DT interprets security via UX design
Dealing With What We Have (as best we can)
Until Shrobe’s safe, new Web arrives, programmers, developers and designers have to make do with an inherently unsafe Internet. Stories of user hacks like “Wired” writer, Mat Honan’s, or massive company hacks—not to mention government hacks on the scale of tens of millions appearing so frequently in newsfeeds, ensuring security in our Web may feel like a losing battle. It may also feel like security needs to come at a cost to good design. Yet importantly, in addition to unsafe, our Web is infinitely changeable, and with creativity and collaboration, there are no bounds to what UX can do for security and great design.
What security advocates like Shrobe call for is a design revolution, a revolution for understanding—and rethinking—the user experience of the web in terms of security.
Shrobe is just one example of thousands that are putting security first in a climate of dramatic hacks, but the task of UX designers remains to make online security as effortless and well-designed as can be to create a better, more secure Web.
Standing at Odds?
One question that often bubbles up: “Should UX focus more on security?” or even, “Should UX be less about aesthetic and more about safety?“ In actuality, these are probably not the right questions to ask. Always, security has to be considered when thinking about online experiences and imagining UX and security as being at odds—where one is always at the cost of the other—ignores the fact that a good experience is predicated on security. As one of our UX designers here at DT put it, “Losing my data or privacy would be a pretty serious point of friction.”
Instead, upholding design principles when crafting security experiences is key. A UXMag.com article reminds us that we have to “think about security and design as complementary halves of a unified whole,” and to that end, keep design principles in mind, always. The ethic of simplicity (and lack of extraneous information) is upheld in several browser features of Chrome, such as its secure browsing warning:
Another example is location services. A big issue in location-based apps, such as Yelp and Google Maps, is obtaining the user’s location—data that for security or privacy or battery-saving reasons is not always disclosed. How many times have you read the somewhat rude “Unable to find your location?” In more graceful and helpful fashion, Google Maps follows through with an “Enable Location Services” suggestion that can solve the location problem.
“Is My Money Safe?” “Are They Selling My Contacts?”
A key issue in design—especially when designing for security on the Web—is communicating expectations. For any user, simply knowing what to expect, and what is expected of you, sets up a great experience. Twitter’s password creation screen is simple and its expectations clear (though any six characters is hardly secure). In addition, its password strength meter helps users compare good, better and best passwords:
Back to Chrome, whose clear browser settings page lays out the options and offers more information about consequences for lax privacy settings:
Is the password you created only “okay” instead of “very secure”? A helpful (not rude) reminder to improve your password with different characters is much appreciated. That said, adds one of our designers, strictly limiting the possible combination of password characters only makes hacking them easier! This is a simple visual assessment of the password one has created, but by giving the user this feedback, it’s empowering the user to create stronger passwords that are harder to crack—which actually helps to increase online security overall. This is a key example of how a little bit of UX can have a far-reaching impact on online security.
Creativity & Security
Security, just like any constraint, can also be beneficial to creativity. This means that designing within the given security necessities and limitations, you can stumble upon previously unknown reserves of creativity.
“Visualizing security is a constraint, yes, but so is visualizing any concept. Just because designing for ‘security’ means your designs will most likely be less loosey-goosey doesn’t mean they’re more difficult,” explains DT Creative Director, Dan Trenkner. “The difference between design and art is that design has to cater to rules, and so you’re always going to have some kind of constraint.”
Too true! Below, enjoy the creativity found in searching for alternatives to the (arguably) utmost security annoyance, CAPTCHAs:
Sweet Captcha bravely turns text CAPTCHA into a more interesting (alright, a little cutesy) game.
Turns out spam bots aren’t so great at math. Simple questions like this can help curb spam while keeping UX satisfaction on the up-and-up.
Another example of creatively rethinking authentication, Switzerland’s incredible Sound-Proof research uses device capabilities of speaker, mic, and receiver to more securely connect users to their accounts. Basically, the devices authenticate the user’s identity by noting the proximity of the user’s phone to the device the user is attempting to login to. It uses ambient noise to detect this and authenticate. So Jetsons’-esque…
DT Soundbites on Designing for Security:
At the end of the day, UX finds ways for human users to take more (and better) safety measures in communicating expectations, helping make better passwords, and turning the steps toward security into something enjoyable (or at least a little less cumbersome). UX is an indispensable feature of online security.
Plus, as we all know, UX helps remove friction, which means users are more likely to adhere to the security measures you’re putting in place for their safety. And this keeps them safer overall—a win:win. It’s like putting Ninja Turtles’ stickers on your kid’s bike helmet. By making the act of safety more fun, they’re more likely to wear it.
The UX versus security debate is often contentious, so I decided to take a quick poll of our design team to get their thoughts—here are some of their opinions:
1. “Security isn’t separate from design, it’s just another factor to think about during ideation. Any place that security is warranted, the end-user is normally happy that those measures are being taken.”
2. “Users should be reminded of any security that’s in place. These are sometimes SSL badges— ‘this site uses 128 bit encryption,’ etc.—but are users really seeing this, do they find confidence in these notices? Perhaps there is room to make these notifications more intuitive and meaningful…”
3. “It’s possible that in some financial situations it’s OK to make UX concessions, as long as expectations are being set appropriately.”
4. “I’m curious how security will evolve in the ‘no-interface’ future. Will Siri ever ask me the name of my first pet?”
Hopefully, the day will come when devices and accounts are intuitive and can easily ward off menacing intruders. Until then, designers, developers and marketers are connecting users to better working and more intuitive security features.
And this just hammers home the fact that effective online security elements and good UX don’t have to fight like cats-and-dogs. Peace and even collaboration between the two camps is achievable, and of course, desirable.
What else can UX do to make a more secure Web? Tell us about it in the Comments Section, let’s have a conversation. Need help designing secure elements for your users? Contact us today and we can help you lift-off, securely.