The Opportunity of Security: Ame Elliott on Creating Secure Apps that Delight Users
There are many challenges to creating a secure app that is also user friendly. From identity verification to end-to-end encryption, many of the potential affordances for locking down security in a product can result in friction for users. While this places certain creative constraints on the design process, it also presents a major opportunity — UX designers that do security well have an opportunity to set themselves apart in a crowded market like never before.
Ame Elliott is the design director of Simply Secure, an educational nonprofit devoted to advancing the cause of privacy, security, transparency, and ethics in product design. Together with multidisciplinary designer Kerem Suer, they created the Vault UI Kit, the latest free UI kit for Adobe XD. In it, you’ll find many of the important elements you need to create a secure app, from password elements to secure file-sharing screens. Download the Vault UI Kit here, and keep reading to hear some of Ame’s top advice for a creating an app that nails a secure UX.
Security as a selling feature
The Vault UI Kit is a prototype of a one-to-one secure file-sharing app. It prioritizes security for the user, and its elements make this priority (and the app’s capacity for features like end-to-end encryption) clear, right from the start screen. Ame says, by making security a cornerstone of your app’s designs, designers have an opportunity to tap into the ethos of users and make products that put users and their needs ahead of the app creator’s interests.
“There’s an opportunity for multiple products to differentiate themselves by offering better security. I think a lot of people don’t realize that, in general, cloud storage apps have access to the contents of all of your files. I think the possibility to share files with someone in an end-to-end encrypted way is an important feature that we need to see more of,” she said.
“End-to-end encryption isn’t new, there’s been solutions for decades, but on the UX side a lot of those are really challenging,” she added.
So, what is the key to portraying this level of security in a way that delights your users? Communication and presentation. Make sure your users know what information is being used, prioritize the development of advanced security features, and explain exactly what protections are safeguarding their precious data.
Cueing in the user
Identity verification (also known as authentication), end-to-end encryption, and transparent auditing in file sharing aren’t new concepts, but there is still a lot of room to improve the UX of these features. Ame says cueing in the user on the function and purpose of these elements is crucial to turning security into a delightful experience with minimal friction. Here are some of her key tips:
- Find ways to thank the user for engaging with tough tasks like choosing a password. Good examples include a progress bar that goes from red to green as a new password gets long enough, and an option to reveal the password as it’s being typed.
- Be cautious about scolding the user with red text or highlights for doing something “wrong,” especially when they’re likely to feel stress or anxiety about the task at hand.
- Be in touch with the latest security recommendations. (See below for an example on password selection.)
- When the user is faced with a lot of data, such as in an audit log, make sure they have a search facility or other option to help scale their exploration over time.
- Inside the app, use short copy wherever possible to point to security features, explain their functions, and effectively communicate their importance to the user. Offer an option to learn more in another window where there is space for images, animations, and other enlightening content.
Ame says this is still an emerging area of UX design — often, UX designers do not call attention to security features in an attempt to reduce friction. Designers worry that because security is serious, making users think about it will automatically result in a heavy experience. But security doesn’t have to be onerous, and not engaging users can leave them vulnerable and confused. Users need to understand what data is in play, how it’s being handled, and what affordances they have to manage it.
“I think it goes up to a much bigger conversation just around brand promises, and how brands and companies can demonstrate that they’re trustworthy. From a design point of view, being clear about who has access to what information when, for what purpose, is crucial,” she said.
Best practices for identity verification (aka authentication)
The more security features your app supports, the more touch-points you have with your users. For example, think about the different screens and interactions necessary to authenticate someone. This presents both an opportunity and a challenge for designers — get it right, and the user walks away happier than they would have been without the added security. Get it wrong, and the user walks away frustrated (and likely searching for an easier solution that retains the same safety features). Here are Ame’s top tips to make the process effective for users:
- Support two-factor authentication for any application dealing with sensitive or valuable data. Most account breaches happen because a password was reused on multiple platforms and compromised elsewhere. Two-factor authentication is the single best protection against this attack.
- Communicate to your users the power of two-factor authentication in keeping them safe, and facilitate this process in as few steps as possible. If possible, customize the experience in a way that matches your product’s brand values. For example, a playful brand might include a cheeky greeting along with the code sent by SMS at sign-in.
- If you have a global user base, be sure to support two-factor solutions that work in places with reduced, expensive, or insecure cellular capability. This can be by generating an authentication code in an app (either custom or third-party) or by using a device like a Yubikey.
- Do not enforce complex password rules requiring a certain number of letters or numbers. Encourage users to create long passwords to maximize security (such as a phrase containing five or more words), while suggesting they either record their password for future reference or use a password manager to auto-fill.
- As noted above, find ways to encourage users to get through a tough process like choosing a new password, such as a friendly yet meaningful progress bar. Don’t punish users with scary red text or talk down to them for doing things like entering the wrong password.
While additional authentication features require the user to perform more detailed actions to access their services, Ame says this is actually an opportunity to communicate to the user how their information within the app is being safeguarded. Most users will appreciate the extra layers of security, if the process is smooth and the purpose of their steps has been effectively communicated.
“This is definitely a design opportunity. Two-factor authentication intersects with service design as another touch point with your customer. You get to understand their workflows in different ways, and guide them along the process of securing their data within your product,” she said.
It’s time for UX designers to become security leaders
Conversations about data security are growing louder and louder across the globe. Ame believes we are heading to an age where security in our apps and services becomes a top concern. This presents a huge opportunity to UX designers — those who manage to turn security-focused actions into a delightful experiences will find themselves ahead of the curve.
“Security is really about caring for others — and if you’re a human-centered designer and you’re doing user research, and you’re trying to advocate for better decisions on your team, this is a logical extension of that,” said Ame.
“There are opportunities at a lot of organizations where security could be better resourced. There’s a leadership vacuum, so I would like designers to say, ‘OK, I’m going to be the champion of these issues in my organization,’ and then advocate for the resources necessary to be a voice for stronger security.”