I recently attended Jared Spool’s presentation “Insecure & Unintuitive: How We Need to Fix the UX of Security.” If you haven’t heard Jared speak then I recommend that you do. Jared is both highly entertaining and highly informative. In this presentation, Jared shared how organizations are losing millions of dollars because people don’t remember their passwords, get locked out of their account and call support. Even worse, how passwords are so easily to steal with phishing. Organizations are getting hacked and their customers’ data is getting stolen. “If it’s not usable, it’s not secure”
Jared shared how Amazon solves this problem by breaking up identification, authorization, and authentication on a need-only basis that is easiest for their customer. When you first create your new account with Amazon, you tell them who you are. They don’t have any way of checking that’s valid – but they don’t need to at this point either. Once you purchase something, you give them a valid credit card, and they say, “Okay, the person’s credit card worked, the security code on the back matched. It’s not on our bad credit card list. We’re going to go with this” – and you have been authenticated. Then you go to enable 1-Click because they say, “Hey, you know there’s this 1-Click thing. You can turn it on at any time”. You go to enable that and at that point Amazon double-checked your credit card and pre-authorize you for future purchases. And once that’s done, then as long as you are making a purchase from that machine and you send it to the address that you’ve put in for 1-Click, you are then authorized to make that purchase.
By thinking through the identification, authorization, and authentication process, we can design better experiences for our customers that are both usable and secure.
When we force people remember their password, we are putting the burden on our customers. We can design technology that elevates this burden with methods like Amazon. We can eliminate the need to remember a password, too. Have you ever authenticated by using your thumb on your phone? How about security cards with bio scan – that is two-factor authentication that didn’t require a password.
There are better ways to design experiences so they are easy for our customers and far more secure. Think about the next experience you are designing.