Blurring The Lines Between Usability and Security — Spectranet Case

Despite the rate at which technology has grown in the past decade, the issue of security still largely remains a menace. It even demands greater consideration on digital products, as a security breach in this instance could adversely affect brand loyalty.

The process of creating a password starts from registering an account, and the role of a UX Designer in infusing usability at each step of this process cannot be undermined.

Unforeseen Requirements

While trying to change the password to my Spectranet account weeks ago, the experience I had wasn’t very user-friendly. The is the screen to change password.

Spectranet Change Password Screen

While it is okay to forgive the alignment and information architecture issues, what happened on the next screen should have been avoided.

After entering a password as required, I was then presented with a list of red warnings.

Spectranet Change Password Screen Warnings

The idea behind this is to help users create a strong password, but the interface is not being usable, making us trade security for usability. One would admit that having these requirements from the start will help users in making more informed decisions about password creation.

I cannot re-iterate enough the benefit of treating digital products like physical ones. The analogy of this online experience is what happens when I visit a bank, and I couldn’t enter through the security door at first trial, until a security agent comes to inform me of raising my phones up, removing my belt, removing my wristwatches e.t.c and on multiple trials, I finally get in. What this creates in the offline experience is a long queue of frustrated customers, while some persist, some just leave in anger (especially when they have options). The beauty of online is: there isn’t really a queue in the delay sense, but people can still leave if they have options.

Password Masking

Another thing I noticed was the inability to view your password on mobile.

Masking passwords doesn’t even increase security, so we should not also be losing on it in terms of usability. The major reason why a lot of websites and apps mask password is the claim that someone might be looking at you while typing. But here is the thing, if someone is close enough to look at your phone while you type your passwords, then they are close enough to watch your keyboards. Besides, most security problems we have faced were not because of people spying over shoulders, hackers don’t do that. So why do we subject ourselves to a reduced usability over a non-issue that we think exists.

Typos occur greatly on mobile phones even for things that we see, how much more for things that are masked? And since we have a smaller screen real estate on mobile than on tablets or PC’s, users will be more comfortable coming up with smaller-length character passwords on mobiles, which again affects password security.

The Clear/Reset Button

One last thing is the inclusion of a Reset button. It is clear what the Reset button does on this page, it is there to clear all your inputs on the form fields, but why would you want to do that. I am not trying to make a case that it is impossible for users to make mistakes while filling a form, but Reset only becomes useful when all the entries are wrong, (old password, new password, security answer).

The analogy of this in a physical experience is that you make mistakes on some form fields in a paper form, and you are usually requested to write the correct input on top and sign against it, not giving you a whole new form to refill. While analyzing a form for visa application for TravelBeta, it was discovered after 200 visitors recordings that of the small percentage that used the Reset Button to clear form fields, not up to 5% refilled the form. And of the 5% that did, 50% that tried re-filling the form had the majority of retries from those who were able to use auto-fill to edit their old data. So basically, the button is useless.

Technical Considerations

My observations so far have only made a case for the experience and not the technical considerations for bringing usability and security as close as possible. The reason for this is intentional, as only when usability constraints are non-existent can we start boasting of enabling users create stronger and more compliant passwords. Forcing users to include a symbol, one uppercase, one strand of albino hair, abbl, will do more harm if the way we present these requirements do not enhance their experience. It is even arguable that these conditions help create a strong password to start with, so why make me pass through fire when I am only interested in keeping myself warm.

Complex Password Combination Is Not The Answer

The man who invented these rules about 15 years ago now admits he is sorry for such suffering he had put innocent people through.

Jacob Nielsen had this to say in 1995:

A simple human factors analysis shows that no normal human can remember 50 different random combinations of characters, leading to one of two common solutions: either users select non-random passwords that are easy to remember (and easy to crack), or the users write down the passwords on a piece of paper or in a file on their system (also a major compromise of security). Please note: people do this not because they are stupid or want to make their system easy to crack, but because it is physically impossible for them to do otherwise as long as they are required to have more than a very small number of passwords.

So How Do We Ensure Users Create Better Passwords

It is counter-intuitive how we force users to create the strongest of passwords but never put into consideration the memorability of these passwords. What we currently have in most interfaces is

Security Requirements > Usability of Creation Process > Memorability Consideration.

But we should all strive to have:

Security Requirements + Usability of Creation Process + Memorability Consideration.

Security Requirements

1. Websites should invest in better security systems and not loading users with commandments on what to include or exclude from their passwords. Some websites store passwords in plain text, or encrypt them poorly and leave the burden on the user to secure the system for them.
2. Longer passwords people can remember are better than shorter passwords that they cannot remember e.g “My;Crush;That;Year;Was;Opeyemi;Aiyeloa” is better than “$54*th”. The longer password here is something that the human memory can faster recall because of it’s association and pattern, and it also makes it harder to be cracked by brute force attacks.
3. Create better options for users to be confident in the security process. Implementing 2FA is a very good start.

Usability of Creation Process

1. Show password rules before creation, and make these rules reasonable. Show a meter that shows user’s progress as they abide to these rules, instead of allowing them first create the password before seeing warnings.
2. Avoid masking passwords, especially on mobile. You can mask by default but provide a small link (show password) or an eye icon so users can see what they are creating.
3. Remove reset, or any other competing button that is fighting for attention with the most important button on the page (Create Account).

Memorability Consideration

1. Allow people to use social login, it is easier for them to login and removes a lot of pain point for them.
2. Technologies like Google Smart Lock, fingerprint authentication (e.g TouchID) should be greatly considered, you cannot forget your fingerprint.

Advice To Users

Password managers are a good suggestion for people that cannot set all their accounts to 2FA. Although the downside is that the password manager also needs a password, but they are much better at encrypting passwords (since their whole job is security) than most other average websites (whose jobs are selling phones or hosting photos).

Lastpass so far has been good. The difference here is that you can decide to come up with different passwords for different websites, and not run the risk of using one password for every site.

Copying and pasting passwords puts the password into plain text, and this can allow any application running in the background to access it at will.

Conclusion

In conclusion, user education is not enough. What we educate them on, how we educate them and how far we go in covering our own tracks are what will eventually blur the lines between usability and security.

Twitter: @OluwatobiMayowa Website: MayowaTobi.com