Skip to main

UX Design vs. Security: Where to Draw the Line

by Greg Cargopoulos

UX Design vs. Security: Where to Draw the Line

How many times have you struggled to identify images in a CAPTCHA? Do you fight to create passwords that comply with complex requirements?

The best UX designers create flows that are intuitive and easy to use with as little friction as possible, but security often requires some degree of friction. From password security to DDoS protection, there's a delicate balance between security and the user experience, which can be hard to achieve without the right approach to development.

Let's take a look at how to strike that balance.

There's a delicate balance between security and user experience—here are some tips to strike that balance!

Copy link
It Starts with Authentication

Authentication is among the most challenging areas for balancing UX design and security. Since it's often the user's first interaction with an app, authentication can influence their entire experience and should be as seamless as possible. On the other hand, it's one of the most common attack vectors for bad actors to access a system.

Example of overly complex password rules. Source: Password Shaming

The best way to improve security with minimal UX friction is by accurately identifying legitimate users. For example, you might look at a user's device, geographic origin, or IP address to predict the likelihood of an honest login attempt. If you have a low confidence score, you can introduce more friction to stop malicious attempts to gain access.

Some parts of authentication may require poor UX design. For example, error messages that say "your username or password is incorrect" may seem like poor UX because they’re vague. But this message makes it more difficult for attackers to guess usernames and passwords using brute force attacks—they cannot easily verify if an email address has an account.

Copy link
Protecting Against Chargebacks

Chargebacks are a common frustration among e-commerce shops. For example, if a malicious user successfully uses a stolen credit card, merchant banks could force you to refund the user, pay a fee, and lose any product you already shipped. On the other hand, requiring too much information at checkout can hurt conversion rates.

As with authentication, the best way to prevent fraudulent credit cards is by prescreening customers. Users that have successfully logged in to their account with their historically-used location and IP address may require minimal extra verification. But, you might make users that login from an unfamiliar computer verify their CVV or address.

The most common signs that you may need to introduce more friction to the process include:

  • An uptick in chargebacks.

  • Multiple failed payment authorizations.

  • Higher-than-average cart abandonment.

  • Lower-than-average shopping cart totals.

E-commerce shops with guest checkouts must balance the probability of fraud with the friction of adding more verification methods. For example, using Address Verification Service (AVS) ensures that user-entered addresses match the cardholder's address, but it adds an extra step that can lead to attrition in some cases.

Copy link
Managing Access & Permissions

Many applications have a heavy collaborative component that introduces security risks. For example, a user may want to share a health record with another user, creating HIPAA compliance risks. UX designers must create an easy-to-use workflow for sharing these records while minimizing the risk of accidentally sharing them with the wrong parties.

A critical security principle is that of "least privilege"—or users only having access to what they need. When planning out an application, consider what data should be limited based on each user type's job. Attackers typically look for admin-level logins, so restricting access minimizes the surface area for these attackers to target.

Sharing also poses a security risk to organizations managing sensitive documents. In general, it's a good idea to default to no sharing unless a user deliberately chooses to share. In addition, the document owner or administrator should have the ability to set explicit permissions for the document to prevent any unauthorized access, editing, or deleting.

Rate limiting is another tough trade-off for some applications. For example, many APIs impose rate limits on applications or users. A rate limit set too low can cause frustration among legitimate users, while a rate limit set too high can cause availability issues. These same issues might arise in non-API use cases, such as hosted storefronts.

Copy link
Secure by Design

Security is often an afterthought in the development process, but just like writing software tests after the fact, that can lead to problems. Trying to bolt on security fixes just before a release leaves little time for UX designers to minimize user experience friction. Instead, it's better to have a team that brings security expertise to the table from the start.

DevSecOps is the idea of integrating development, security, and operations into the development process. By incorporating security protocols into the Agile development process and software tests, teams can create faster and more secure delivery pipelines. You can also quickly respond to threats when they inevitably arise.

If you're working with an outside development group, you should ask how they incorporate security into the development process. You should also ask how they balance UX design with security to minimize friction and ensure a delightful user experience. If they don't have a good answer to these questions, it might be time to consider other options.

Copy link
Keeping It Simple

Leonardo DaVinci once said, "Simplicity is the ultimate sophistication." In other words, it's hard to make things simple because the tendency is to overcomplicate them. A DevSecOps approach results in cleaner and more maintainable code by incorporating security principles from the start rather than bolting them on at the last minute.

The same focus on simplicity should guide UX design. When thinking about security, seek solutions that offer the simplest user experience. For instance, DNS solutions like Cloudflare's built-in bot protection stops malicious actors from accessing your website. Only introduce friction to the user experience when there's a risk.

Copy link
The Bottom Line

Security often involves a trade-off with the user experience, but a single data breach can be catastrophic. Keeping things simple and incorporating security into the development process with a DevSecOps mentality can minimize friction to the user experience and reduce the odds of a security breach.


Related Articles