UX, short for “User eXperience,” is one of the great keys to productivity in the computing age. Why? Because the “experience” that users have while going about their daily tasks includes things like:
How confusing—and thus mistake-prone—a task is
Whether the task includes or requires unnecessary steps that add delays and costs
The degree to which the unpleasantness of a task causes users to avoid doing it, or to intentionally do it incorrectly
Whether the steps involved in completing the task interfere or are in tension with other important tasks
The more conducive the experience is to a particular task, the more likely it is to be done quickly, efficiently, and correctly.
The less conducive the experience is to a particular task, the less likely it is to be done quickly, efficiently, or correctly—if it is done at all. Here are some very simple, but illustrative examples of bad UX:
A mouse that’s so heavy or so hard to click that it creates soreness
An important on-screen button that’s too small to easily click
Requiring a sequence of many clicks to save a document, rather than just one
An office desk made of flimsy cardboard
A desk sitting directly under a very cold air conditioning vent
Dim, flickering office lighting that causes headaches
These kinds of things don’t make work or tasks impossible as such—but they do significantly harm productivity, and are likely to cause users to feel avoidance or try to find work-arounds.
That’s why these days, everyone spends time on UX questions—engineers, designers, marketers, sales teams, public-facing staff, it makes no difference. If work is to be done and done well, UX considerations are front and center.
The Cybersecurity UX Problem
With data theft and security breaches increasing exponentially, security and security tasks are more important than ever.
Yet cybersecurity—an in particular, authentication workflows—have some of the worst UX around. Consider the common case of a user that’s in the middle of a task, and as a part of their workflow, they need to authenticate—to log in—to one system or another.
Depending on the tools and systems in question, in mid-task they may be faced with:
Passwords. Users are asked to remember these and never write them down—yet they’re also required to use letters, numbers, and symbols in long, complex, often meaningless combinations and to change them (and thus memorize them all over again) every few weeks.
Phone-based MFA. Users are asked to fish out their phones. And authenticate there first. And then, tap a bunch of buttons. And then, often, manually re-type something from the phone screen into the computer screen to authenticate a second time. And then put the phone away again.
Token-based MFA. Users are asked to carry and then fish out an extra device they wouldn’t normally carry—one that’s easy to lose and easy to break. They, they either have to find a USB port, insert it, and click an extra button, or they have to refer to a difficult-to-read screen and manually re-type something from it into their computer screen. And then put the device away again.
Biometric MFA. Users are asked to fish out a phone or an input device that they know will intimately measure their bodies. Then, they have to adopt particular positions or make particular physical gestures—and do it again (and even again) until the device or system gives them the all-clear, which means “I’ve measured you intimately!”
Failures. All of these have failure modes. Repeatedly being told that a password is incorrect after typing. Losing a phone. Losing a token. Being unable to get a fingerprint or face scan to register. Simply having authentication denied and not understanding why. Being forced to call support.
If users are the middle of an everyday task, steps like these aren’t just irritating—they add delays, interrupt thought processes, and may even derail afternoons, both for the users in question and for their support teams.
And if users have to do them over and over again in repeated tasks, as is often the case, sooner or later they’re going to try to find ways to work around them, which is bad for security.
The Cybersecurity UX Solution
Fixing these problems may sound complex, but in 2019 it doesn’t have to be. Let’s deal with passwords first.
Don’t automatically expire passwords to eliminate memorization requirements
Don’t require complex combinations of special characters that are easy to mistype, difficult to recall, and lead to write-downs
Instead, ask for long but easily-memorable, easily-typed passphrases of unrelated words, like “FrillyPineappleHammerGoesToBelgium”
Now let’s move on to MFA. Much of the UX difficulty and friction in MFA (not to mention the cost and complexity) comes from the use of additional devices, which require that the user carry and maintain authentication assets, and that they leave their workflows to fumble with something separate from their computer or laptop.
This doesn’t have to be the case in 2019.
As your users work, an incredible amount of fingerprint-unique pattern data can be assembled just by observing:
Micro-patterns in their keyboard, mouse, and touchscreen movements
Patterns in their location and common surrounding environments
Patterns in their network location and activity
Other ambient sensor data as available and appropriate
The ambient computing power and hardware in today’s workplaces makes the collection of this kind of behavior, environment, and context data trivial to accomplish.
When combined with machine learning to identify patterns in this data, users can be authenticated using these additional factors without the need for dedicated devices and steps, as they do their regular work or type in their passwords.
Combine these two strategies—better, easier-to-remember and easier-to-type passwords along with adaptive, ambient-data MFA—and what you get are multi-factor authentication workflows that are:
Fingerprint strong and highly accurate
Less susceptible to theft and social engineering capture
Easy, rather than time-consuming and infuriating for users to complete
Free of additional encumbrances like dedicated hardware
Transparent or nearly transparent unless an authentication failure has occurred
But Does It Exist? (Yes.)
A long history of research and development toward these technologies, combined with increasing computing power and ambient user data, has culminated over the last few years in a new group of cutting-edge authentication technologies.
Bad UX in authentication has only become worse in recent years as threats have increased. Both users and staff are beginning to revolt, while at the same time this added complexity and the UX compromises that it creates are too often resulting in less security, rather than more, due to failures and workarounds.
Regardless of the particular solution that your company chooses, the path ahead in cybersecurity is clear.
The days of disregard for authentication and security UX are over, and the era of strong, invisible MFA that relies on behavior, environment, and context to verify identities is here. ■