A Japanese convenience store chain was just trying to keep its customers happy when it released a payment app that allowed them to make mobile purchases in more than 20,000 stores across the country.
Within a day, however, a growing number of users started seeing suspicious charges appear in their accounts. Hackers had discovered a security hole in a user-friendly password reset feature, and within 48 hours bilked about 100 customers out of $500,000 in fraudulent purchases.
When it comes to mobile app design, the user experience is king. Yet in the app world, usability often comes at the expense of security. As much as we all love our go-to apps, consider that 75% of all iOS and Android apps today contain security flaws, according to a 2019 report from Positive Technologies.
In the enterprise, the stakes are even higher. Employees are increasingly dissatisfied with hard-to-use workplace software. Nearly 25% of employees have even considered quitting their jobs because of crappy apps, according to a 2019 survey by the peer-to-peer review site G2. At the same time, IT chiefs need to provide enterprise-level security for increasingly mobile workers.
While tradeoffs between functionality and security are inevitable, “the two are not diametrically opposed,” says Chris Peake, global senior director of trust and security services at ServiceNow. Advances in security technology, he argues, have enabled data access for new consumer services that had been out of reach for years.
“When was the last time you went to your bank to get money, make a deposit, or check your balance?” asks Peake. “Security advancements have transformed online banking. The move to the cloud has also enabled companies to extend their business beyond the confines of on-premise IT systems.”
Security tech can only shoulder so much of the burden. According to UX and security experts, companies can achieve both security and usability goals by adopting an app development process that emphasizes early, cross-team collaboration, more rigorous behavioral research, and more contextual security solutions that get away from rigid reliance on passwords.
“The days of a monolithic app written by one set of developers are gone,” says Patrick Sullivan, global director of security strategy at Akamai Technologies, a cloud security provider. “That’s something that security is really wrestling with.”
Any company today that deploys workplace apps feels the pressure to offer user experiences on par with the simplicity of Uber or Slack. “We can’t put the blindfold on and forget our personal life experience,” says Michael Gleason, product marketing manager at OneLogin, a San Francisco–based company that develops security solutions for enterprise apps.
“If we’re using Amazon, Evernote, and Dropbox at home and then we go into work, it’s like stepping back in time,” Gleason says. Most of OneLogin’s clients, he adds, are keen to recruit top talent, people who “want to be on the bleeding edge of technology and don’t want to be stifled by security policy along the way.”
Modern dev methodologies like agile and security by design can help resolve the conflict. Both are intended to get security and usability teams working together early in the process. Participation in the planning phase can help designers work within appropriate security requirements and write code to specifications.
That approach solves a big pain point for developers. Managers want finished apps on shorter production schedules, but nearly half of application developers today say they don’t have enough time during the development process to address security issues, according to the 2018 DevSecOps Community Survey by Sonatype.
Engineering teams can also use development cycles to test security functions at the same time they test interface, functionality, and usability elements. Contrast that with traditional “waterfall” development, where security controls are often introduced after the development process is underway. That can undermine foundation work, require unplanned code tweaks, and compromise user experience.
Early-stage collaboration also helps developers understand how and where users will interact with desired security features. UX specialists have long tried to do this by building user personas. But research needs to go beyond simple demographic mock-ups to better understand user behavior.
Seemingly small choices can have big consequences. Take two-factor authentication, a popular method for bolstering app security. When a team from the National Institute of Standards and Technology surveyed 30,000 users of a particular enterprise app about their day-to-day experiences using two-factor authentication, it found that even minor changes in how that process was implemented resulted in widely varying user experiences.
It pays to do that kind of homework early in the process. At Akamai, Sullivan’s team tracks trends in security and works with clients to evaluate risk and recommend ways to reduce threats. “The earlier security teams are involved, the easier it is for them to have impact,” says Sullivan.
Ease the password pain
We rely too much on passwords, and there has always been a tension between passwords that are truly secure and passwords that people want to use and find easy to remember without writing them down.
Password over-reliance can be reduced in a number of ways. OneLogin’s approach, creating a secure single point to sign into all enterprise apps, after which access to each can be managed contextually, can be a part of the solution. Many mobile apps also use biometric verification tools such as Apple’s Touch ID.
Delayed authentication is another solution. Amazon, for example, establishes user identity using cookies or IP addresses and demands a password only when it’s time to access stored financial data for a purchase. Similarly, many enterprise users don’t need to access a company’s most sensitive data all the time. By better defining use cases, enterprise apps can identify opportunities for easier security thresholds for applications where the user doesn’t need access to sensitive data.
No matter what technique you use, balancing usability and security starts with a cultural change that embraces both needs. “If you follow all the right procedures and bake security into your culture and development process from the get-go, then it’s no longer a choice,” Gleason says. “It’s the best of both worlds. You’re in that magic quadrant where software is both secure and usable.”
Ultimately, security should enable great user experiences, not inhibit them. “Companies should treat the app-security tradeoffs as a symbiotic relationship,” says ServiceNow’s Peake. “Security is a key component to enabling system usability and delivering end-user value.”