Usable security
The Design Need:
The website or application needs some kind of security level but you do not want the security to get in the way of your users.
Best Practice Solution:
These design best practices are closely related to the design best practices for password recovery. Designing a web user interface that is secure and usable is all about “risk management”. It is balancing possible losses, the costs that can be caused by failing security, against the cost of security, including the time and effort expended by the user. Start by defining the level of security needed for your site, application, information, etc.. Do not go overboard on security issues; do not build a “Fort Knox” if you do not need one. Then you can define a suitable policy for your application: “Who can do what to which things?”
Dos and Don’ts
- Consider the security issues and level needed for your application early on in the development process to avoid problems later on.
- Do not expect the user to understand any security questions or to distinguish between legitimate and illegitimate pop-ups asking to install or download something. Many users have been warned against “dangerous installs and pop-ups” and do not install anything.
- Let the user decide whether or not to hide (mask) the password while typing. In high risk applications such as bank applications hiding the password could be the default setting.
- Allow users to create and use passwords and usernames that they can remember. The more password requirements you have the more difficult they are to remember. If users cannot remember the password they will write it down, hit the “forgot password” button over and over again or create multiple accounts.
- Try to avoid using “challenge questions” (security questions). If you have to use them:
- Let users choose from a set of common questions.
- Let users enter their own answers.
- Do not make answers case-sensitive, since this makes two things to remember.
- Offer usable alternatives for a classic (unreadable) captcha such as a simple question like “1+1=?”, ask users to type the first word of a non-sense sentence, etc.. Captchas are meant to keep out machines, not users.
- If a login error occurs, tell the user where the error is in the username or the combination password-username.
Why To use this Best Practice:
If usability, security and privacy work together it is possible to create a secure and trustworthy website that people like to use. The user needs to understand the necessity for protection, why security is important for the information, application etc.. On the other hand, the effort the user needs to go through to get access must be reasonable according to the perceived risks. If users feel that security gets in the way, they will either abandon the site or service or find a “work around” for the security issue.
More info elsewhere:
- “When security gets in the way” in Interactions magazine
- “Stop password masking” on www.useit.com
- “8 more Design Mistakes with Account Sign-in” on www.uie.com
