User Experience (UX) & Security, Part 3: Updating Security Information
In the first article of this series, I discussed the outstanding user experience Universal Studios provides to its customers while maintaining an extremely secure, well-monitored amusement park. It is my use case that it’s possible for us, in the virtual world, to emulate them and improve our experience while maintaining security at the same time. Today, I’m going to discuss one of the most mind-boggling user experience issues in security: Updating Security Information.
Providing a good user experience during the registration process isn’t enough. Security runs throughout your system, and a good user experience must be at every interaction with security. Below, I’ve listed some of the forgotten areas of security and user experience, and how they can be improved.
As discussed in the second article in this series, it’s become a common expectation to allow users to log into their account with a Facebook, Twitter, or Google account. When we allow users to do that, our work isn’t done at the login screen. There are alterations to other pages and interactions that have to be made.
For example, when a user clicks on their account settings, their account view must represent someone who has logged in with a “parent account”, such as Facebook, Twitter, or Google. This could include removing the ability to edit the username or password since your site isn’t the owner of that information. Processes around security questions and account locking should also be re-evaluated. Additionally, if you will allow them to update their email address, you need to explain what it effects, and what it doesn’t. Provide a clear understanding to the user of what this arrangement entails.
There’s no standard user experience or interaction for this activity. In fact, the ability to edit such information is often an oversight and attempts to change such information lead to undetailed errors or a system crash.
Lost Usernames / Passwords
When a user forgets their credentials, there is usually a number of hoops he/she has to jump through to recover their forgotten information. This could be as simple as entering an email address to recover the account or answering a series security questions that you’ve long forgotten.
Although it’s important to maintain security, it’s also important that your user is able to log into your website. Make this process as easy and straightforward as possible. Many sites have a basic, yet secure, standardized behavior for these incidents:
- Enter your email address
- Receive an email that links to a username recovery page, or password reset form
- Once the form is filled out, return them to the login screen to enter their newly set credentials
This process is a very simple interaction for the user, and has a single point of failure for your system – the email address could not be associated to an account on file. At this point, you can simply recommend the user registers for an account.
As I mentioned in my second article, it’s very important to have a solid user experience on account registration pages. But, too often, I see drastic inconsistencies between registering for an account, and updating an account.
Account registration typically receives the most user experience focus, because it’s a conversion metric. This great user experience must transition into editing their account. These are the main inconsistencies I typically see:
- Creating and updating a password have two different experiences
- Data organization is completely different between account registration and account editing
- Account recovery’s look and experience is different from the rest of the site
The most shocking aspect of these problems is the fact that we didn’t re-use our existing work, but started from scratch to create an inferior user experience.
It is imperative that we look at all aspects of how the user is affected by security, and all the ways they can interact with it. Our security solutions must be holistic before we can apply a quality user experience.