Let’s talk about designing for better security

Last updated on 
Let’s talk about designing for better security

As designer’s, we put heavy emphasis on designing for experiences that bring both value and delight to our end users. We talk about things like ethical decision-making in design, accessibility and inclusion…all very important topics that need to be discussed.

That said, there’s very little discussion around how we can design for better security within the experiences that we help to shape. Typically, those discussions only go so far as to provide the minimum amount of security measures in order to get to market faster and keep costs as low as possible. In addition, it’s common that these discussions are only happening within the circles of engineers with little to no involvement from the design team. This is likely very common as most organizations are optimizing themselves for efficiency, speed and agility.

“Features and speed trump security.”

But what if you’re designing for more complex experiences that, in addition to software, also have a hardware component that needs to talk to the software and vice-versa?

You’re probably hearing more about it in the news these days, stories where physical home security products are being compromised by hackers. There’s this recent incident where a hacker taunts a child in Mississippi and this other one in Florida where the hacker insults a family in their home through their Ring camera. I can almost bet that they’re no longer customer’s. It’s almost inevitable that we’ll be seeing more stories like these in the years to come as IoT devices become more prominent in our homes and offices.

The incidents above makes it clear that high security measures were not top priority for the product team at Ring — no notifications informing you that someone else from another IP address has logged into your account, no way to see concurrent sessions, no way to alert a user if they’re using an already compromised password, no cap to how many failed login attempts you can have…you get the idea. These are all approaches that should have been designed into the product early on given the potential negative repercussions.

The approaches above are all available technologies and common security measures that you already see in other apps. As designers, this is why it’s important that we understand both the capabilities and constraints of the technological landscape that were working within in order to leverage them into the solutions we create. It’s also important that we think more broadly when designing for entire, end-to-end experiences and understand the context and scenarios at the various stages of the customer’s experience.

In addition to the many areas that we focus on, providing (both real and a sense of) security should be near the top of the list for every designer. This is only more true for those who work on software that talks to hardware.

Here are some steps that designers can take to be more proactive when it comes to designing for better security measures that can affect the users experience:

Intentional Friction

Set aside time in your process to map out the touch points that can potentially backfire from a security and privacy standpoint. Where do higher security measures make sense in the experience (i.e. sign up, login, verification, onboarding, password retrieval, etc.).

As designers, we typically aim to remove any friction when it comes to things like sign-up, login or onboarding in order to “get them in faster”, but at times it may make more sense to have bit of friction as to not have negative long-term ramifications. Adding friction is okay if you can explain why it’s necessary clear copy and guidance.

Don’t assume that all users are proactive when it comes to security

The title say’s it all. We can’t assume that all users will constantly monitor and keep their applications up to date at all times. How might we create strategies to better guide or incentivize them to take the appropriate measures (two-factor authentication, etc.) to secure their ecosystem of products through the experiences that we design?

Prioritize security features early on in the process

Chances are that most people on your team hold privacy and security in high regard. As designers, come to the table with approaches on how your team can empower the end user to take the necessary steps to be more secure and not get themselves into a privacy pickle. I’m sure your developers will appreciate this discussion.

All in all, privacy and security will only become more relevant in the coming years. Product teams should anticipate this and begin to think about specific security-related features that help to secure and protect their customers. This may vary depending on the offering, but anything that deals with money transactions, home security, stored credentials… almost everything on the internet will need some form of a security strategy from an experience standpoint. Bad PR and a poor user experience are the last things a company needs in today’s business landscape.