User empathy — an ingredient that is missing from cybersecurity
Introduction
As we continue to move towards a society that is connected to the internet more often than not, we also have to take steps to ensure cyber safety for everyone — a difficult feat to achieve given that a large percentage of the users are either not cyber savvy or find it too exhausting to indulge in regular cyber hygiene practices.
In this article I will use 2-step verification as an example to demonstrate user pain points that are a barrier to voluntary adoption of these technologies. Additionally, I will also highlight potential solutions, as demonstrated by a Figma prototype I created, to these user pain points. I am using 2-step verification because it is one of the most widely used cybersecurity tools outside of the constraints of enterprise policy requirements.
In brainstorming and researching ways to potentially alleviate user pain points, I learned that user empathy and user-centric design are key to solving the issues that the cyber community faces as they relate to voluntary adoption of cybersecurity tools.
In the next section, I will briefly introduce the concept of authentication and a typical scenario in which 2-step verification is used.
Background
When a user tries to login to a system, they have to confirm their identity. This process is called authentication. Authentication is guided by 3 main principles:
- Something the user knows (typically password/passphrase)
- Something the user has (typically mobile phone/access to email)
- Something the user is (typically biometrics)
The premise of 2-step verification is to use a combination of any of the above 2 principles to confirm a user’s identity. Most typically the combination is between:
- Something the user knows (typically password/passphrase)
- Something the user has (typically mobile phone/access to email)
In this article, I will only consider the most common and prevalent combination (password + mobile phone/email).
Educational institutions, corporations, and government entities are increasingly making 2-step verification mandatory for individuals logging into their systems. Outside of these policy requirements, users also have the option of enabling 2-step verification for the systems they interact with on a personal level, such as for Facebook; however, very few individuals elect to use 2-step verification for personal use. The reason for this poor voluntary adoption seems to be rooted in user frustration (lack of user sympathy).
In the next section, I will touch on the user pain points inherent within 2-step verification processes.
2-step verification — inherent user pain points
The typical flow for a 2-step verification process creates a lot of user frustration since the user has to deviate from their intended workflow to complete the 2-step verification. This is inherent to any 2-step verification process.
Let us take a scenario where a user is trying to login to their banking portal (the intended workflow) and has to use a 2-step verification process (the deviation) to complete their login process; this deviation will inevitably result in user frustration due to the cognitive friction between the intended workflow and the deviation.
The onus is on the creators and providers of 2-step verification tools to try to reduce user frustration by optimizing the user experience through improved user interface design.
In the next section I will dive deeper into the user challenges and demonstrate a solution via a Figma prototype that I created.
User Experience
Challenges
The primary challenge the users face while they are involved in the 2-step verification process is a design issue (outlined below).
— No user experience: 2-step verification processes that use text messages/emails have no user experience. The processes that require the user to look at a text message or an email to acquire a passcode and then enter it back in the target application are even worse for the users than poorly designed 2-step verification mobile applications with push notifications for users since they require switching task context more than once.
— Poor user experience: 2-step verification processes that use mobile applications (Duo Mobile, Microsoft Authenticator) have very basic design elements providing poor user experience.
From the above screenshots we observe 3 major UI (user interface) design flaws:
- The design is very rudimentary and does not engage the user’s attention — user engagement is essential since this is a tool intended for frequent use.
- There is a lot of information such as IP address and date/time provided that is not actually used by the user to engage in the 2-step verification process. It is reasonable to assume that the user is aware of the date/time of their login attempt. Additionally, the probability that a user is aware of their IP address is exponentially low and not really helpful for the user during their engagement with the 2-step verification process.
- The design uses technical jargon such as IP address, authenticate, etc. making the assumption that the end user knows the jargon. This assumption limits the user segment and discourages the general populous (target audience) from adopting 2-step verification for their personal use.
Rudimentary design elements and negligible user empathy signify that 2-step verification tools are not a priority for the providers of these tools which further discourages the general populous to engage in cyber practices outside of the policy requirements enforced by enterprises.
Solution
The solution is simple: improve the user interface design to optimize and simplify the user experience. Sympathize with users and assume that most of them are not cyber savvy. Use simple yet effective design concepts such as:
- Soft UI: To reduce the cognitive resistance already present within the general populous against cyber security tools — something that is currently perceived as a roadblock to productivity.
- Animations: To improve user engagement by providing feedback to the users via animations. Animations can be used to retain the users attention, especially the non cyber savvy users. Animations have shown to be effective in trading platforms.
- Minimal information: Provide the exact amount of information that the user will “actually” reference to engage in the 2-step verification process. Overloading the user with information upfront that they are not “actually” using can be detrimental to user engagement and result in user frustration.
The main goal here is to provide visual clarity.
My demo solution
I used Figma to create a prototype of a 2-step verification app I believe addresses the challenges I outlined in the previous section.
- Soft UI: I used the principles of neumorphism and glassmorphism to design the app giving it a flavor of minimalism and increasing its visual appeal.
2. Animations: I used animations throughout the app prototype to enhance user engagement and to infuse a “nonchalant” flavor — aimed at providing cognitive relief to the users.
3. Minimal information: The only information my prototype provided to the user is the account to which they are trying to login. I did this by making the assumption that the account name is the only information the user needs to engage in the 2-step verification process, any more information might lead to sensory (visual) overload.
Conclusion
The cyber community needs more user sympathy and tools rooted in user-centered design to enable effective adoption of cyber technologies. This will help improve cyber hygiene amongst the general populous and also enhance cyber awareness.
Complete Prototype Demo
Disclaimer: I am sharing this article for informational purposes only and it is intended to be used in that manner only. All views in this article are my personal views based on my personal experiences. Any ideas discussed herein should not be used/implemented in a production environment or undertaken by anyone without consulting an expert in your field. I am not an expert in any field and not liable for any loss incurred by anyone who acts on the information I shared in this article.
