Article | by Ben Askew

Is “frictionless" a security tradeoff?

Off the back of this article by Duncan Jefferies published in Raconteur last week, Freestyle Design Director, Ben Askew, explores in more detail how tech-related security measures are evolving and what friction they create.

line_pink.jpg

 

The general desire of experience design is to minimise areas of friction to users and reduce cognitive load as much as possible. We all like to complete tasks as effortlessly and quickly as possible, but in certain contexts applying applied friction is a much-needed tool that can actually make the overall experience better by increasing perception and confidence in the product’s value to the user.

 

"Good Friction"

We’ve spoken before on how frictionless experiences can miss the mark. But friction can achieve positive things in UX too. Friction can be used to communicate a feeling, such as accentuating the end of a journey or to help give it real weight - anyone who ever used mail chimp knows that “send” button at the end, and the anxiety that gives, causing you to double-check things, and then get instant gratification as soon as you sent your campaign.

When talking about 'good friction' around digital identity and security specifically, here’s a continuously-growing list of what that can mean:

  • Asking users to login again before performing a sensitive action, especially those involving editing or deleting personal details or data
  • Making users stop and review sensitive processes before they submit data eg. Reviewing a loan application before you hit submit
  • Asking users to confirm their identity before starting or completing an important action - such as making an online purchase, logging into an online account or amending a booking
  • Additional levels of login such as asking for users to answer a security question, provide a unique number or certain letters of a memorable word to gain access
  • On signup to a product or service, pausing to educate users on exactly why an increased level of security or additional step is beneficial to them, and being clear on how the service will keep their identity safe
  • Using different methods to confirm identity such as multi-factor and 2-step authentication or biometric login to complete a task

 

Monzo's identity verification process. Source: Monzo.

 

  • Requiring more complex password combinations during registration or asking users to change their account password after so many weeks or months
  • Logging users out or stopping a process midway after a certain amount of time due to inactivity 
  • Encouraging users to take additional actions to help increase security eg. google asks users to review their profile security settings and permissions every few months

 

Tech to help secure experiences

In our mission over the years to reduce friction, we got more and more creative with our methods of identification, in an attempt to bypass having to remember passwords or having to enter and re-enter personal details. Think biometrics, services like Keychain and 1Password, magic links and more. 

There’s a fine balance experience design needs to achieve when considering the security of a digital experience. Certain industries expect a higher level of friction when it comes to fulfilling an action. Others can delay it, and some (arguably), choose not to know too much about you.

 

Security > Frictionless. Are you sure about that?

But you can get those levels wrong. Like Duncan included in his article, age can play a big part in how people rank security over frictionless experiences. Beyond that, it really depends on the context of the task a user is trying to do or achieve and the website or product they are using. 

Like in some of the cases mentioned before, reducing customer friction can mean providing less information upfront, reducing steps in a process or the number of security questions to answer. This in turn could compromise users if there is a security issue down the line.

Added friction around identity can only ever be a good thing, especially when doing things like making large online purchases or applying for a mortgage. Can you imagine if all a bank needed from you was something as basic as a username to log in? How about moving any amount of money with no further ID verification or security checks anywhere else down the line in a big transaction?

 

"Friction under the right circumstances can put our minds at ease."

 

Friction can easily be a positive action if its function is to help protect, alert or confirm intent. We saw this at a past Tonic event when Julia Bellis told us about how they approached the digitisation of the HM Passport Office service. At certain points in the application process, they needed to remind users of their previous choices, in order to make sure they are on the right track, such as when a mother is going through the process of applying for a passport for her child, as opposed to herself.

 

julia bellis HMPO presentation Tonic.jpg

Julia Bellis at Tonic Digital, sharing the story of HM Passport Office's digitisation process

 

The bottom line is, friction under the right circumstances can put our minds at ease. And as technology evolves to support new ways of verification that feel less and less painful to do, but offer just as much protection as the more traditional methods, we’ll also evolve to accept and adopt innovation across this space.

Related articles

Humanising the digital experience

A summary of the top takeaways from Tonic 05. We heard the stories of Monzo, HM Passport Office and learned about making customer journeys memorable through emotion.

How has Jane Doe changed in the last few months?

Selecting a new B2B Agency: how to make the pitch process more efficient

Freestyle founder Alan Cooper reveals useful insights for B2Bs when choosing a new agency partner.

Can SPORT learn anything from Business?

From managing high-performing teams, to a culture of self-improvement, we learnt plenty from sport. Here's the flip side of that... What can sport learn from the world of business?