Security and User Experience

Following the basics of good User Experience (i.e. Don’t Make Me Think and Cognitive Load), securing software makes it less usable. There’s no way around it. Security is “friction” by design and “friction” is bad for user experience–it’s a barrier to use. The more security you add, the more friction you add. You might find articles on the Internet with quotes like, “For most systems, adhering to user experience principles and guidelines can actually improve their security.” But, these claims employ a kind of circular logic (and some begging-the-question). In reality, a system that does not require any kind of authentication or access control will have a lower barrier-to-entry, a lower “friction”, a lower cognitive load, a simpler user experience. Granted, the system could make countless other UX mistakes, but all things being equal, no security is easier than some security (which is easier than lots of security).

The more security steps added to software, the less usable it becomes.

But, security is necessary and, by many accounts, passwords are broken. So, systems need to employ more security such as multi-factor authentication, security questions et al. Thus, usability decreases as security needs increase. It’s a fact of life. We just need to understand that with the increase of security, usability decreases.

The key to security is balancing user experience and security (and functionality)

True, there are plenty of ideas for alternative security, but the principle remains, security is “friction” and “friction” is bad for usability.

What are your thoughts?