I’m working on an authentication / authorisation type project at the moment. Thought I’d try to learn from the master by watching this talk. Here are some key take-aways:
- No-one talks about authentication or gives it the focus it deserves. We don’t teach it. We don’t hear talks about it. Yet it is in almost every product.
- Authentication is a bell weather for the UX. If the team has paid proper attention to authentication, then they are good with getting the details right. The product is likely to be good.
- The famous £300 million dollar button article is all about avoiding the pain of Auth. https://articles.uie.com/three_hund_million_button/
- It’s a ‘selective usability’ problem – we want certain users not to be able to get in.
- Auth is an enabling task. No one wakes up and says, “I’m hoping to authenticate 23 times today!”
- Auth is a ‘stronghold of inhumanity’ today. Not just an inconvenience, health care workers are compromising their security because they’re worried that failure to auth might cost people’s lives. If it’s not usable it’s not secure.
- Most of us don’t know where our email servers are. Security is not understood.
- Two Factors of Authentication (2FA): is something you’ve forgotten and something you’ve lost! https://twitter.com/dakami/status/818252636021346304
- Familiar example of password frustration= being given the recipe after you’ve failed…
- Differing types of auth: authenticating as you vs being authorised to make a transaction (e.g. if you have a bank card and can name the CVV)
- Lack of identification causes trouble (on twitter for example – where anonymous users can behave badly)
- Changing personal details is often difficult / poorly handed too (a related problem)
- Password managers… plus apple have started including in iOS and safari, other browsers have too…
- Amazon use 2FA without friction – cookie is something you have, your address to ship to is something you are
- ‘Threat models’ are a description of the worst things that can happen… a useful design tool in this area.
- A common junior designer mistake is only to design for the authenticated experience..
- Another overlooked example: what about non-customers being able to return products (without making them create an account)
- Session time-outs are a serious problem (the experience of logging back in is awful and often unnecessary – and often takes you to another place)
- Key questions to ask a brand: If my identity gets stolen – can I trust you? If I can’t complete the remember my password dance- will you help?
- Let fraudsters make fake accounts then design ways to stop them being able to do anything dangerous. Let them in – because you won’t be able to keep them out.
- Call centres will always be a vulnerability for fraudsters to exploit – checks and balances are needed. Also the ability to verify without knowledge tests (which many users wont be able to remember)
Some common problems then:
– Memorable data is not memorable
– Possessions get lost / left at home / can be stolen
– Repetition: being asked for the same data again and again
– Treating the trust as binary just in vs out (without considering levels of trust)
– Being over-cautious. What is the real threat?
– Overlooking actions that can be allowed without any authentication
– Missing the nuance between auth types: e.g one time, every time