As per Mckinsey, cyber crimes are costing the global economy around USD 445 billion.
The threats have shifted from companies to targeting individual accounts and information. Now the end-user at home is becoming the conduit to the invasion attacks on the companies.
We are very familiar with SIM port hacks. Considering that Jack Dorsey (CEO of Twitter and Square) lost his accounts, we should be fairly scared. Very smart individuals have lost money and data through fraudulent attacks. Just to beware, most of those attacks weren’t sophisticated technical hacks, but more simple mind tricks.
Users are becoming more aware of the data that they are sharing and want to share. This hesitation is leading to users leaving products where they feel that their data might not be secure.
So, for all product developers, security, and building products that convey that the user presence is secure with them while providing optimal user experience, are of paramount importance.
Let’s try to find a strategy that you can follow to balance security and user experience.
Start with the “personas”
Trying to club a 20-year-old with a 40-year-old and someone who is in their 60s isn’t the smartest of the idea. We all are aware of the difference in taste and requirements of the groups, yet we don’t see products tailored to each persona.
Let’s look at the pain points of each category.
Nowadays, a 20-year-old, let’s call him Shan, will have trouble remembering his username or password. Also Shan doesn’t want to do so. He gets agitated if asked again. He also is present on multiple platforms and that makes it even difficult for him to remember all the multi-factor authentications he signed up for and the phone number he used for each. Then he might be traveling and using the internet or a device in another country might lead to more authentication requirements which in turn leads to more frustration.
How about Mona, a 40-year-old, working at a medium-sized corporation. She is working hard to maintain a balance between personal and professional life. She doesn’t have the energy to stick around for the complicated signup and sign-in processes. Just to make things easy for her, she would give the password and username to her daughter or a colleague to get a job done. For her time is a huge asset and getting things done matters more than the best and most secure way of doing so.
Now let’s hear about the Howard troubles. He is 65, just retired, and has worked hard to understand the online platforms. He uses the internet for filing healthcare claims and connecting with friends and family. He might be using the same generic credentials for all the platforms. For him, reconfirming his identity and being interrupted is a huge issue. At times, he might have trouble remembering or logging in. Then he might need assistance, so would be calling and sharing all his info.
It seems like product developers are killing the user experience with added security layers. Before we jump to that conclusion, let’s look at the “hacker journey”?
“Hacker’s journey” trying to exploit a user
Jim (a product developer) decided to facilitate users and allowed a high number of log-in attempts. The hacker figures out this loophole and user large-scale automated requests to get to the right credentials.
Jim also wanted to let go of identity-proofing and device recognition. This helped the hacker to use social engineering to build a fake account that looked like the exploded user’s one and redirected links to that account. The password reset option is with the hacker.
Now, the hacker has access to all the account settings and can do whatever he/she desires.
If it’s a financial account, hackers can redirect the payments to another fraudulent account.
This loophole happened because Jim was trying to make the user experience fun and easy by taking away the re-authentication requirements for such transactions.
Also, Jim wanted his user to stay logged in and through that device, management might not be of use to his ideal customer. But what this meant for hackers, is that he can continue to utilize the account till discovered.
How to balance security and customer experience?
Let’s look at some of the security measures needed for customer life cycle management.
The process starts with user registration; user account setting, with associated changes; multi-factor authentication and its preferences; deactivation; reactivation; account closure; session management; lock-out policies, and so on. All these measures are necessary and a must. But can lead to severe issues with user experience.
Let’s look at some of the strategies that balance both the experience and security.
Passwords
You have the option of coming up with a strong password policy and it’s now a defacto for users too. So, in this case, there is no compromise in terms of user experience.
Let’s look at the case of password reset. With this use case, do you give the option to the user or make it a strict time-based decision?
Here a good strategy is to design rules that are based upon your user persona. For someone who uses a platform daily and there is an abnormal activity, there is no need for a time-based password reset. And in case the where you detect fraudulent activities, a password reset will be loved by all of your users.
Device recognition
For device recognition, the balance is between time and what’s the best threshold to re-authenticate a device. You can set it to 1 day, to 30 days, to few hours.
Again, smart product designing might require you to ease out customers that are always on the move.
But, you can be a bit careful with the high-risk users.
The nature of the application might also help you come up with the right mix of policies.
Sessions
Here you are also grappled with the option of timing. Do you push for strict timelines and make people refresh if they need to extend the session? Or do you let it loose and people might be able to interact more with the app for a longer period?
Again you need to look at the application type and the persona that is using it.
Bothering physicians to refresh application while taking the data and stat of their patients, is a very bad idea. Even though the information is critical, but your users need time.
Multi-factor authentication
Generally giving users the option to select MFA and also having the option of using voice, text, or email, is the best way to proceed.
From the strict security point of view, you can enforce MFA and a user can only proceed after the identity verification process. Yet, that isn’t an ideal case for all the subsets of your users.
How about you give your users options and also suggestions for implementing MFA. Those who find it bothersome can choose not to opt-in. And the others who are looking for strict security can choose the recommenced best option.
Re-authentication
As a product designer, you can be fairly lenient and let the user only re-authenticate when the user is updated billing or payment address. On the other hand, you can make it strict and make users authenticate for each transaction.
The best way forward for you is to use a method of detecting abnormal policy and couple that with reactivation for highly sensitive data transactions.
Account Locking
In this article, your read about the fraudster’s user journey where he utilizes the brute log-in attempts to steal the data. A strict security policy will lock out such an attacker. But what happens to someone who keeps on forgetting the password or finds it hard to type on a smaller device.
You can use Apple’s lock strategy. Apple lets its user attempt few times to log-in before forcing the user to a soft-lock out for a small duration. And then keep on increasing the lock-out duration after multiple such attempts.
Account Deletion
To prevent any hacker to delete your account after stealing the info, you, as a product developer, can request strict conditions to be met. The condition that might result in account deletion is verified personal data privacy request or fraud.
On the other side of this continuum, you can let a user easily seamlessly delete the account and all the associated info.
Here we suggest ensuring strict termination requirements to prevent any malicious attacks.
Account Deactivation
As a product designer, you have to balance the long-dormancy allowance and letting the user seamlessly login where needed. Or shutting a user out after a time period (eg 6 weeks)
We suggest having reasonable thresholds, based upon the user persona.
Another suggestion is to always check if there is no fraudulent activity and the credentials aren’t compromised.
Summing Up
Balancing user experience against strict security measures is a difficult task.
In the case of services, where the authentication is easy, customers use 10–20% more of the services. And such users spend 45% more than the occasional users. So, as a product designer, you are always pushed to ease out the security measures.
Also implementing security costs money. The associated digital infrastructure and services account for major costs. Offline support adds to such costs too — even password-reset inquiries take up 6% of the call center time.
But more and more customers aren’t trusting the digital services. Their perception of data security is worsening. With the Facebook changes in the policies around data gathering and the consumers’ worries of privacy invasions, cybersecurity, and privacy are becoming a huge topic of discussion.
Companies that have successfully balanced user experience with top-notch security measures are enjoying 25–30% more customer satisfaction scores.
So, balance is a must. You need to keep your customer personas in mind while balancing experience and security.
You need to balance convenience and trust.