This article was published on May 3, 2020

Here’s how UX design can protect users’ security and privacy


Here’s how UX design can protect users’ security and privacy

Did you know TNW Conference has a track fully dedicated to exploring new design trends this year? Check out the full ‘Sprint’ program here.

It’s time for bed, but first, a few routine tasks:

  • Put on pajamas.
  • Brush teeth.
  • Open windows.
  • Unlock doors.
  • Place wallet, personal documents, and banking information in a convenient pile on the kitchen counter.

Sweet dreams.

If that scenario is unsettling, consider how often the same sensitive information is entered into our digital devices. Without the proper security protocols in place, our assets and identities are easy prey. Worse, as designers of digital interfaces, a disregard for security places users at risk—financially, professionally, relationally, and emotionally.

Security isn’t a trend or promotional tactic, it’s a crucial aspect of user experience and interface design.

UX security
When digital products aren’t properly secured, all the wrong characters gain access to users’ information. (Aaron Burden)

The ideal interface is simple to operate and safeguarded against attempts to steal users’ private information. Delivering such a design is typically framed as a tradeoff between usability and security:

  • If the interface is easy to use, it’s less secure.
  • If it’s secure, it’s more difficult to use.

This tradeoff is a myth. We can design interfaces that are simple and secure without compromising the quality of either. Here, UX designers play a critical role by ensuring that both technical demands and user needs are met.

In many ways, UX designers are interpreters. They decipher technical requirements and make them understandable for users. They also exercise situational awareness by deciding when to focus on simplicity or when to involve sophisticated security measures. Balance is key, but it can only be achieved by including all stakeholders from the earliest stages of design.

Get stakeholders involved in UX security early

There are multiple parties that must be consulted to design a secure and successful digital product. For instance, design teams have to ensure that their products comply with relevant regulations like HIPAA for the healthcare industry and PCI DSS for banking and financial services. Also, security features implemented by design teams must meet the standards set by the technical teams behind digital products.

Design for security
Designers ought to be aware of the various security regulations that apply to the digital products they work on.

When it comes to security, it’s not uncommon for user input to be ignored. But to truly meet users’ security needs, designers must grasp their motivations, behaviors, and expectations. Often, users know very little about digital security, so designers ought to learn to anticipate the levels of risk that users will face as they navigate through various screens and features. The earlier risks can be identified within the design process, the better.

Ignoring stakeholders or incorporating their input late in the design process doubles the risk. It can open security holes in products that could have otherwise been prevented, or it can lead to products that are so secure they’re barely usable.

Design methods for product security

Encryption

Encryption is a method of converting sensitive information into a code that appears to be random. It’s an important design consideration in digital products with communication features. In apps where calls, texts, videos, images, and documents are frequently exchanged (think WhatsApp), end-to-end encryption ensures that only the users involved in a conversation can see the data being exchanged.

This means that no one, not the company behind an app, not data criminals, not even the government, can see the content of messages. When users know that their information is protected by such measures, they’re much more willing to extend trust.

Authentication

It is essential to verify that only the owner of an account can log in—and that all intruders are locked out. Authentication is the most effective way to secure digital products from unauthorized access. Features like usernames and password requirements ought to be identified and tested early in the design process.

For additional security, two-factor authentication (2FA) can be added. With 2FA, a username and password are entered, and a log-in code is sent to a mobile phone or email address.

Security user experience
To receive an access code, Intuit’s 2FA process allows users to choose between multiple delivery options.

Data Privacy

Ultimately, data privacy is an ethical consideration for designers and businesses. When users trade their personal data in exchange for access to a digital product, they’re choosing to believe that the company that oversees the product will handle their information with integrity. They’re also trusting that the features implemented by designers and developers are able to withstand data attacks.

Enhance user privacy and data privacy

It’s worth repeating, digital products are made for users, not the other way around. Users’ interactions with products should never come with the risk that their data will be leaked or stolen. Sadly, this isn’t always the case.

Most cybercrimes are carried out with the intent of obtaining users’ personal data, but UX designers can help. How so? By implementing features that encourage users to choose stronger passwords and avoid placing excessive personal details online.

For instance, a product’s authentication interface may employ a friendly message to inform users about why it’s important to have stronger passwords. Instead of forcing users to create a password with 12 characters, lower and uppercase letters, a number, and a symbol, the message could simply say, “You need a stronger password. Here’s why it’s important.” This way, users better understand the necessity of securing their data and privacy.

Remove unnecessary security obstacles

If product security depends on incorporating all stakeholders, then designers need to take the time to consult with developers and cybersecurity professionals. Developers typically have constraints that affect design, and they may be able to offer insights about the effectiveness of UX security features implemented by designers. Cybersecurity professionals can educate designers about the most up-to-date security strategies, tools, and compliance regulations.

A word of caution: Consulting security experts is good, but overdoing security measures makes digital products cumbersome and encourages users to look elsewhere. Vague messages like “Your internet connection isn’t secure” lead users to circumvent security features meant for their protection.

Ultimately, it reflects poorly on businesses when legitimate users can’t accomplish tasks or find themselves locked out of their accounts because of over-complicated digital security.

Security UX design
It’s possible to overdo digital security features and frustrate users. (Kelly Sikkema)

Secure against social engineering

Of all the digital security attacks that take place, one scheme is considerably more common than any other. It accounts for nearly 90% of breaches worldwide and relies more on the art of deception than sophisticated technical abilities. What is this nefarious tactic?

Phishing.

Like con men of old, phishing (which occurs most often in emails) relies heavily on social engineering strategies to scare, pressure, and confuse users into handing over sensitive information and hard-earned cash. To protect against phishing attacks, designers can create security forums that allow users to report spam and post warnings to other users. They can also employ popups or messages within their apps to alert users of known phishing attempts.

Application security design
Phishing weaponizes written communication by tricking people into sharing their sensitive information. (Taskin Ashiq)

Designers need digital security too

For all the effort that goes into security, one overlooked vulnerability can seriously compromise the integrity of digital products. It has little to do with technology — it’s designers themselves.

For every product created, there are hundreds (even thousands) of design artifacts generated. Dozens of communication channels are utilized. Links to strategic documents are sent to multiple parties. And, distributed teams are increasingly dependent on cloud-based design tools.

If designers don’t take precautions to guard their work and communications, attackers will find ways to infiltrate organizational weak points. This may mean establishing VPNs, undergoing cybersecurity training, and enacting asset management and communication guidelines to prevent loose ends.

Design for security

Secure and usable interfaces don’t happen by accident. They are the result of designers who take the time to identify points of data vulnerability and involve stakeholders early in the creative process. Security is no different than any other critical feature—end users’ needs mustn’t be ignored.

When designers find helpful ways to communicate the value of security and ensure that safety features operate efficiently, users will reward the companies that oversee digital products with their trust and ongoing engagement.

The Toptal Design Blog is a hub for advanced design studies by professional designers in the Toptal network on all facets of digital design, ranging from detailed design tutorials to in-depth coverage of new design trends, tools, and techniques. You can read the original piece written by Mayank Sharma here. Follow the Toptal Design Blog on Twitter, Dribbble, Behance, LinkedIn, Facebook, and Instagram

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with