Bad Authentication UX is Becoming Obsolete

UX, short for “User eXperience,” is one of the great keys to productivity in the computing age. Why? Because the “experience” that users have while going about their daily tasks includes things like:

• How confusing—and thus mistake-prone—a task is

• Whether the task includes or requires unnecessary steps that add delays and costs

• The degree to which the unpleasantness of a task causes users to avoid doing it, or to intentionally do it incorrectly

• Whether the steps involved in completing the task interfere or are in tension with other important tasks

The more conducive the experience is to a particular task, the more likely it is to be done quickly, efficiently, and correctly.

The less conducive the experience is to a particular task, the less likely it is to be done quickly, efficiently, or correctly—if it is done at all. Here are some very simple, but illustrative examples of bad UX:

• A mouse that’s so heavy or so hard to click that it creates soreness

• An important on-screen button that’s too small to easily click

• Requiring a sequence of many clicks to save a document, rather than just one

• An office desk made of flimsy cardboard

• A desk sitting directly under a very cold air conditioning vent

• Dim, flickering office lighting that causes headaches

These kinds of things don’t make work or tasks impossible as such—but they do significantly harm productivity, and are likely to cause users to feel avoidance or try to find work-arounds.

That’s why these days, everyone spends time on UX questions—engineers, designers, marketers, sales teams, public-facing staff, it makes no difference. If work is to be done and done well, UX considerations are front and center.

The Cybersecurity UX Problem

With data theft and security breaches increasing exponentially, security and security tasks are more important than ever.

Yet cybersecurity—an in particular, authentication workflows—have some of the worst UX around. Consider the common case of a user that’s in the middle of a task, and as a part of their workflow, they need to authenticate—to log in—to one system or another.

Depending on the tools and systems in question, in mid-task they may be faced with:

• Passwords. Users are asked to remember these and never write them down—yet they’re also required to use letters, numbers, and symbols in long, complex, often meaningless combinations and to change them (and thus memorize them all over again) every few weeks.

• Phone-based MFA. Users are asked to fish out their phones. And authenticate there first. And then, tap a bunch of buttons. And then, often, manually re-type something from the phone screen into the computer screen to authenticate a second time. And then put the phone away again.

• Token-based MFA. Users are asked to carry and then fish out an extra device they wouldn’t normally carry—one that’s easy to lose and easy to break. They, they either have to find a USB port, insert it, and click an extra button, or they have to refer to a difficult-to-read screen and manually re-type something from it into their computer screen. And then put the device away again.

• Biometric MFA. Users are asked to fish out a phone or an input device that they know will intimately measure their bodies. Then, they have to adopt particular positions or make particular physical gestures—and do it again (and even again) until the device or system gives them the all-clear, which means “I’ve measured you intimately!”

• Failures. All of these have failure modes. Repeatedly being told that a password is incorrect after typing. Losing a phone. Losing a token. Being unable to get a fingerprint or face scan to register. Simply having authentication denied and not understanding why. Being forced to call support.

If users are the middle of an everyday task, steps like these aren’t just irritating—they add delays, interrupt thought processes, and may even derail afternoons, both for the users in question and for their support teams.

And if users have to do them over and over again in repeated tasks, as is often the case, sooner or later they’re going to try to find ways to work around them, which is bad for security.

The Cybersecurity UX Solution

Fixing these problems may sound complex, but in 2019 it doesn’t have to be. Let’s deal with passwords first.

As we outlined in our 2019 Authentication Guide,  we recommend some simple principles for passwords to reduce UX problems and enhance security at the same time:

• Don’t automatically expire passwords to eliminate memorization requirements

• Don’t require complex combinations of special characters that are easy to mistype, difficult to recall, and lead to write-downs

• Instead, ask for long but easily-memorable, easily-typed passphrases of unrelated words, like “FrillyPineappleHammerGoesToBelgium”

Now let’s move on to MFA. Much of the UX difficulty and friction in MFA (not to mention the cost and complexity) comes from the use of additional devices, which require that the user carry and maintain authentication assets, and that they leave their workflows to fumble with something separate from their computer or laptop.

This doesn’t have to be the case in 2019.

As your users work, an incredible amount of fingerprint-unique pattern data can be assembled just by observing:

• Micro-patterns in their keyboard and mouse movements

• Patterns in their location and common surrounding environments

• Patterns in their network location and activity

• Other ambient sensor data as available and appropriate

The ambient computing power and hardware in today’s workplaces makes the collection of this kind of behavior, environment, and context data trivial to accomplish.

When combined with machine learning to identify patterns in this data, users can be authenticated using these additional factors without the need for dedicated devices and steps, as they do their regular work or type in their passwords.

Combine these two strategies—better, easier-to-remember and easier-to-type passwords along with adaptive, ambient-data MFA—and what you get are multi-factor authentication workflows that are:

• Fingerprint strong and highly accurate

• Less susceptible to theft and social engineering capture

• Easy, rather than time-consuming and infuriating for users to complete

• Free of additional encumbrances like dedicated hardware

• Transparent or nearly transparent unless an authentication failure has occurred

But Does It Exist? (Yes.)

A long history of research and development  toward these technologies, combined with increasing computing power and ambient user data, has culminated over the last few years in a new group of cutting-edge authentication technologies.

These can be deployed quickly and affordably today. Plurilock™ and our products  are leaders in the field. Good, thing, too.

Bad UX in authentication has only become worse in recent years as threats have increased. Both users and staff are beginning to revolt, while at the same time this added complexity and the UX compromises that it creates are too often resulting in less security, rather than more, due to failures and workarounds.

Regardless of the particular solution that your company chooses, the path ahead in cybersecurity is clear.

The days of disregard for authentication and security UX are over, and the era of strong, invisible MFA that relies on behavior, environment, and context to verify identities is here. ■