Great security or great UX? Both, please – Help Net Security
A new user is signing up for a SaaS application. On the one hand, UX teams want that user to get into the app as quickly as possible. On the other hand, security teams want the user to strongly validate their identity and configure settings properly before they enter sensitive information. Two worlds collide in the wireframe review process. But it doesn’t have to be this way.
It’s the classic battle fought over every app: UX designers hate security measures because they feel these measures inject complexity and make it harder for users to get what they want. Security teams feel like UX teams design for streamlined workflows and familiar processes at the cost of better security.
Not surprisingly, most SaaS companies feel like they must find a balance between the two. Except they don’t. The choice between security and UX is an entirely false choice: Security and UX are complementary and self-reinforcing. Here are three basic ways to make it so.
Default authentication to biometrics
Biometrics are super popular on iPhones for a reason. They are easy to use — much easier than a 2FA authenticator app or even a magic link. They are even easier to use than SMS codes.
Fortunately, biometrics are also highly secure and much more challenging to hack than SMS or even 2FA. So, make biometrics the default option for your app. Allow users to choose fallback options (even SMS, if necessary), but in your UX design, default towards the best combination of security and usability. Right now, that’s biometrics.
Passkeys are coming on strong but still not ready for prime time and are still very inconsistent in UX delivery across applications and operating systems, which is causing unfortunate confusion. So, while we love the idea of passkeys for authentication and we encourage them, in our experience, the UX needs to be improved to properly unlock the security benefits. Thus, fingerprints and faces are the best options for now.
Make bot filtering completely invisible
The visual CAPTCHA is dead, since there are now dirt-cheap CAPTCHA farms that will solve puzzles as a service for bad actors. Researchers have also demonstrated that LLMs can solve most common CAPTCHAs.
Users have long hated visual CAPTCHAs because they can be challenging to solve, even for attentive humans (“Is that squiggle a number 5 or a letter S? Is that a bus or a truck in box 4?”). Newer versions, which ask users to solve math problems or to tilt the monkey clockwise to match the arrows, are better, but still interruptive and obnoxious. Yet these horrible visual CAPTCHAs remain preferred by many security teams even though they are the equivalent of a UX dumpster fire.
Ditch the visual CAPTCHA and opt for the invisible version like reCAPTCHA3 from Google. These invisible systems are just as secure and don’t require the user to do anything. In fact, they are probably more secure because a user that can’t solve a CAPTCHA may engage in insecure behaviors to try to bypass the roadblock or may drop off and try to access a SaaS tool from a personal email (in other words, they are using the same tool but it’s now shadow IT). The basic principle here is the same: use systems that can analyze risk and enhance security which are transparent and do not interrupt workflows and user interactions.
Security step-ups only when necessary
A security step-up should be used only for higher-risk scenarios, such as: anomalous behavior or sensitive actions like purchasing a product, changing passwords or account information, or inputting financial details into a form.
The average user of a B2B SaaS app should go months without running into a security step-up. Recognize when they make sense and get rid of those that don’t. Fewer steps are more secure because users will not become numb to the situation. In contrast, sparsely used step-ups will be perceived as an indication of a riskier environment or action that requires more care.
Be smart, as well, about when you have strong enough information not to warrant a step up. For example, if a user logs in with strong 2FA like a security token and immediately goes into a sensitive process, a step-up may not be warranted because the session is short, and the authentication is recent.
How you do a step up, as well, is crucial. First, tell the user why you are asking for additional information. Second, make it easy for them to follow the process by explaining precisely what will happen in the step-up and providing visual cues like breadcrumbs. Third, offer different choices such as SMS, 2FA authenticator, magic link, or biometric to make it easier for users. Lastly, give them a clear success message that reinforces why the step-up happened so they can be ready for it next time (managing expectations is almost as important as clear UX).
Let’s flip the script on the “Security vs UX” debate
The perception of either-or is poisonous: UX and security teams can be friends and work together to improve usability and security. For the most part, this means following basic principles and heuristics that closely map to well-known user preferences and behaviors.
Smart SaaS application product and security teams already recognize this and are moving in this direction because users and organizations will vote with their feet and their wallets.