Customer and Data Security Experience
Online Security Overview
What can we do to make our customers’ and our online security secure but also to be a happy experience? I think designers need to give more input into the choice and design of our customers’ and our business’ security requirements. Online security is now a way of life – can’t we at least make it easy?
The Internet seems to have become such a dark place. The basic needs of any person are food, water, and security. On the Internet, security is the least easy to get of the three: spamming, viruses, trojans, denial of service attacks, data farming, phishing, and outright theft amongst other threats to our privacy make our lives far more difficult than they need to be - or than they should be.
Consider your secure online services as being your castle with many rooms: one each for each service: not only your own but everybody’s service you want in your life.
If you’re like me, and I’m fairly typical, I need a pretty big Queen Elizabeth sized castle with over 150+ rooms – many en-suite – and that’s not including guest rooms for the visiting in-laws? Outside my (behemoth) castle are the thieving b’stard villains working on their opportunities to steal my and your keys and ultimately, my identity and my money: my personal hard-earned possessions, I might add.
What's in my castle?
You can find the following groups of services: Shopping and online auctions, documents, music and other media, software subscriptions, applications, my photo albums, newspapers and magazine subscriptions, book readers, government departments – all of them, waste disposal, phone providers, internet providers, banks, utilities, email, devices, operating systems, this blog, my own and my clients’ web assets, road toll companies, delivery services, health services, VPNs, operating systems, eLearning, insurance, lotteries, and of course social media and the many, many, many clouds.
Must We Have a Castle?
Yes. Because we want to be safe and have our 'stuff' kept safely but the Internet is full of vultures, villains, and governments.
If you don’t like the castle thing then consider that I’m on a high street and all the shops are locked unless I have the right key: a key cut to fit each different design of lock. I need to remember what shop I want to go to, how to get there, where I put the key: even what the freaking key looks like before I even find the ruddy key to my wallet. Maybe I need to cut the keys myself – and learn how – via a service that wants me to log in?
Whichever metaphors we use, the end result is far from being a great universal experience of secure online services. And I am sticking with the castle by the way. I understand castles: high streets just give me the heebie-jeebies on account their being full of vile villains from the outset, but that’s another story.
Securing The Castle
How do we protect our castle and our belongings? A start might be to introduce a stronger deterrent: perhaps the punishment for assisting cyber theft of data for advantage should refer back to the days of real castles and we should put the little snots’ eyes out with a not-quite-red-hot-enough poker?
Why on Earth would I wish to condone such a barbaric activity? Because, as a consequence of there being thieving scumbags on every corner of the Internet I have to sign in or log on to everything. My day is challenged and darkened by a constant need to remember and then type my security credentials like a hurdle before doing anything. I’ll be surprised if next year I don’t have to sign in to my toilet given the Internet of Things!
But my point on catching the b’stards is a valid one: you might be able to hack your way in but there’s no way I’m letting you back out before I know where and who you are. If only life were that simple? Maybe we are too techy about our online aliases and we should wake up to just having one online license through which we own each action and comment we ever make: an end to defamy, trolling, or other online assault, crime, bullying or other hurt? I digress…
The other side of the deterrent is that if it's not easy to break or trick your way in to the castle the only people likely to do so are those able and wanting to. Thus they can have their eyes poked out and their heads impaled on the ramparts!
What's The Beef?
So back to this 150 room castle. I need 150 different keys – but I’m not to label any one of them. Each must be a different pattern depending on who made each lock, and I can’t keep them all in one bag either.
I’m weary. I want the freedom of information to wander through my castle rooms when I feel like it.
If you offer me a new room with even a great new service, I want it to comply with the well-organized arrangements I’ve made to cope with managing all the fecking doors I have already? Instead, your lock will be different: another burden on my already compromised ability to think about what you really want me to do with the new room and the previously attractive service you offer me will become that bit less alluring. I might just tell you to peddle off?
And then, when we hide all of our ‘stuff’ in a castle in the sky (The Cloud), or built on easily under-minable sand, we learn that it’s not as secure as we were led to believe or needed it to be. As if we don’t already share enough crap with the World, our very credentials are stolen and we need to restart the whole security process all over again.
The Customer Experience
- Your site: “Buy this item now.”
- Your user: “Great. I will”. (Click)…
- Your site: “Landing page – find the Sign In button – think through the registration process – then Sign in …your password does not match OUR (draconian) rules...verify email…enter a postcode…enter a postcode…enter a postcode even if you don’t have one…usernames are made up from your DoB and your customer number sent to you in an email or posted snail-mail to your paper-pooping dog’s intestines…enter memorable information (that meets our criterion of questions that you’ll likely forget)…or think of your own memorable information you don’t mind sharing with us…enter the 10th character of your password” (even though yours is only 9 characters long – Ulster Bank!)…and so on for services accessed less than or only once a year! (Grrr!)
- Your user: “Stuff you. Back to my search page.”
What can we do? How can we reduce the cognitive effort involved in setting and then remembering passwords and “security information” for every digital service in our rapidly expanding virtually serviced (castle-bound) lives?
Existing Security Strategies
There are seriously more nerdy professionals than me who are cleverly advancing the user security pathways and technologies. Because of their nerdy-ness, it is not always easy for them to understand how we ‘normal’ folk interact with their convoluted strategies and processes designed to be so secure not even THEY can get in. That’s where airy-fairy designers need to step in and help to rationalise the experiences for normal digital consumers.
These are a handful of security strategies available to businesses at the moment:
Unique Sign On (Credentials for Each Service)
This is obviously the cheapest technique of providing customer and business security – and perhaps the lowest technical denominator in the cyber-locked World?
Our user or customer must set up a unique user name and password to enter our domain. Perhaps there is an additional step such as verifying a true identity or age via an email exchange or a duff transaction off our credit card?
The end result is that your business gets a warm feeling while our user looks for another note pad in which to write down and store their new security credentials.
Single Sign On
Perhaps the greatest advance is the Single Sign On (SSO) approach? You’ll have seen this when you are offered to sign in to a service with your Google or Facebook account, etc., or where you sign in to a learning management platform?
Caution that our French friends call the Single Sign On, the “Authentification unique”. I’m not certain that’s entirely accurate as the Single Sign On is not unique but universal. Grammaire française est toujours un caniche pour moi. (Thanks Google Translate).
Benefits of using single sign-on include:
- Reducing password fatigue from different user name and password combinations
- Reducing time spent re-entering passwords for the same identity
- Reducing IT costs due to lower number of IT help deskcalls about passwords
SSO shares centralized authentication servers to ensure that users do not have to actively enter their credentials more than once: they hold the “key to the castle”. (From Single Sign On, WikiPedia, accessed August 7, 2015)
The downside is that, if your castle key is compromised then your attacker has access to your “castle”.
Password Remembering Services
There is a growth in online and on-device security applications (even in browsers) that offer to do all the remembering of passwords for you. That’s handy, but some are worse than others at retrieving the password on demand?
If I use a device on which the password is not stored, am I more likely to have forgotten my credentials when there is a time I need to enter them?
Additionally, if my password – encrypted or not – is going to be stored anywhere, then that encryption and data-storage need to be not only top-notch, but proven to be impregnable. And that impregnability guarantee seems to be ever the more erode the more we discover just how sophisticated cyber criminals and governments can be in their hunger for information.
My nerdy friends may argue that it is infallible, but perhaps I am echoing our users’ mistrust of these services and issuing an edit to reassure us further?
Physical Encryption Devices
Some systems issue physical devices to act as keys comprising a random code generator, perhaps including a known-only-to-you PIN. But even these vary by design and can impose not only a burden on time and cognitive/motor effort, but also on your carriage as the number of devices on your keychain exceed your ability to carry them.
And if you “loose” your device perhaps you loose the easy access too?
We use access cards for much of our European or American purchasing experiences now, so it would seem an evolution to fit a device to our technical equipment that gives access?
But, you need to be carrying the access card and, as would be likely, where there was no One Card to rule them all you are probably going to find you don’t have the card when you need it and you’ll end up reverting to an on-screen sign in interface anyway?
The biggest drawback is that a card can be lifted easily by a light-fingered thieving b’stard.
This seems a great way forward from the user experience perspective – as long as their hardware is capable of it
Having used Apple’s iOS fingerprint access for a time I am impressed at how easily the system works and as many if not most connected devices have a camera these days then the opportunity for facial recognition is boundless?
Critics suggest that an attacker applying a physical assault can force your face or fingerprint onto recognition hardware whereas, with a password, you can refuse to offer assistance. I’d argue that if you are under a planned physical assault you are going to give your password away! And anyway, who says you need to recognise only my face? In the old days of photocopiers…
As with anything cyber-related, as quickly as there is a security solution there is some douche bag hacking a way to circumvent it or cutting out a back door to your castle. There’s also a cost to the business, which needs passing on to the customer. The smaller the business and the smaller the customer base then obviously the more frugal the budget to spend on lock smithies and key-cutting exercises.
And that’s fine. It means that the majority of designers will implement known design patterns that we don’t need to learn leaving us some cognitive capacity left to navigate the actual work of getting in to our stuff.
But is there anything that can be generally done to improve our experience of all this security?
Ease the Process
What can we do with the user journey to ease the experience? Perhaps 10 things to consider:
- 1. Choose the most convenient security process for your user: not only the business.
- 2. Time your security procedures well.
- 3. Inform your user at the outset of the transaction that they are invited or required to verify their ID to sign in to your service. (Hiding a complex security procedure behind a purchase process may not be optimal – especially if this is a one-off purchase).
- 4. Only ask for relevant information in your forms. If its not “Required” to complete the transaction then simply don’t include the input.
- 5. If your user name, password, or address inputs have validation rules make these clear in the user interface.
- 6. Offer a way to retrieve your users’ credentials that does not involve boiling cauldrons and eye-of-newt at midnight on a solstice or other cognitive Yoga to accomplish.
- 7. Offer an alternative method of completing the transaction. (This could prevent a transaction being abandoned at point-of-payment through security apathy?)
- 9. By default, ensure that your notifications are turned off and only turned on by an informed positive user action. (This is particularly important if the page refreshes for any reason and our selection not to receive your pitiful pleas for our custom is switched on by default).
- 10. Consider the validity and periods of system time-outs. Are you my nanny: can I not leave myself logged in if I want to?
I have experienced some great examples of transaction processes and many poor ones – particularly with banks.
A great example of a simple and easy-to-follow-willingly process and interface is offered by those clever people at Touchnote. And their application and products are pretty handy, too.
I’m a fan of Microsoft Account’s SSO and of their sending a text or email with the numeric code necessary to input into the user interface when making security-sensitive changes to the account.
On the downside, once signed in to a Windows Phone account, it is near impossible to remove access to the account – for example, when a Windows OS phone goes for repair.
A Less Great Example HSBC
At the first hurdle, as a HSBC business customer, do you know to look at the navigation bar’s top-left to first choose Business before Log-In (suitably meeting the expected design pattern miles away on the top right)?
And that’s just the start of a never-ending process of selecting accounts to manage…even after having selected an account to manage…(another Grrr!)
A Last Thought
As many of our digital devices require us to sign in to them – with or without dark biometric magic – can we not offer our customers an alternative security process based on that? Not like Apple’s Keychain, etc., but just based on the fact that if we’re online we have a unique ID in our device already: a range of services ‘keyed’ to our devices?
Perhaps then I wouldn’t need to remember anything to roam my digital castle except to wonder where I left my car keys…?