Notes on Jared Spool’s Fixing the Failures of Authentication UX

(From‘s All You Can Learn library)

Companies lose millions of dollars due to poorly-implemented authentication UX—lost sales, cost in resetting passwords etc

Password guidelines have gotten crazier and more difficult to remember

Security UX (which Jared calls SUX) is usually your customers’ first experience with your brand, yet its design is generally almost an afterthought

Security breaches happen every day

People often end up writing down the security info—not very secure!

Jared suggesting using a “If it’s not usable, it’s not secure” argument for improving your SUX

SUX Tool 1: Identification, Authorization, Authentication

People tend to think about SUX in a binary fashion:

  • Logged in or
  • Not logged in

Think of how Amazon knows who you are when you aren’t logged in but you’ve been logged in before in that browser—i.e. Amazon’s cookie from your last visit remembers your name but not your password

Amazon will also allow you to use their one-click purchase method when not logged in

So there are other options:

  • Identified but not logged in
  • One-click enabled—Amazon allows requires users opt in for one-click purchase before allowing them to use it when they have been identified but not necessarily not logged in

A recent SUX pattern is requiring new authorized users to click an email link to prove they’re who they say they are. This pattern has in three parts:

  • Identify: Who are you?
  • Authorize: Do you have permissions?
  • Authenticate: Are you who you say you are?

Amazon uses four sources to authenticate new accounts:

  • Authorize purchase w merchant
  • Check shipping address against known problem list
  • Match business address to credit card database
  • Check IP against known problem list

SUX Tool 2: Threat Models and Risk Assessments

Remember Jared’s maxim, Design is the rendering of intent. Here we are building safety systems for the business and also the customer

With Amazon’s one-click button, items can only be sent to an address already on record

  • Hackers would be unable to ship to other addresses. This is how Amazon manages this threat

But Amazon uses at different threat models with different designs in different scenarios:

  • Entering a credit card number is always required when buying gift cards—despite having one on file already—to mitigate the chance of money laundering via gift card purchases

Seat belts require the user to buckle them to work; airbags don’t because they are automatically alerted to when you have started the car.

  • Airbags embed the burden in the system

iMessage does the same thing:

  • When messaging with another iMessage user, the text bubble is blue because it’s encrypted. When messaging with non-users, the bubble is green and unencrypted

SUX Tool 3: User Burden Reduction

Generally, placing the burden on users creates frustration and is prone to accidents. Mistakes are the user’s fault—user error! Which is the opposite on empathy

Whereas building the burden into the system requires higher dev costs and probably innovation—and can still be prone to accidents. Mistakes are the system’s responsibility

So when should we be burdening users vs the system?

SUX Tool 4: Security Perimeters

Think of the airport: first you go through general security to get to a gate, and at the gate you go through another security check with your boarding pass

Surprisingly, Amazon only requires a user to be identified to see all their account options: not authorization or authentication

  • No secure information is shown at this level
  • Any attempt to change a setting will invoke authentication

Why don’t people want to innovate on SUX?

  • This is how we’ve always done it!
  • This is how everyone else does it!
  • These are some of the most dangerous excuses…

Password strength is fetishized even though hackers get data from hacking aggregated password databases—not from hacking individual accounts! This is how data ramsoning works

Individuals usually get hacked via phishing emails with attachments

Two-factor authentication is a higher level of password protection

  • Two separate things are required to authenticate
    • Something you know (password), and/or
    • Something you have (device, key), and/or
    • Something you are (biometrics)
  • Though for users, this often becomes
    • Something you’ve forgotten
    • Something you’ve lost

Security questions are NOT two-factor authentication—they are one-factor done twice

  • SecQs actually don’t make the system more secure! This just wrack up dollars lost when people forget the answers
  • If it’s not usable, it’s not secure!

OAuth allows hackers to access all sites authenticated with OAuth

As a user, I want to log in.

Probably the world’s most common Agile story. But this isn’t a user story—nobody wants to log in to anything!

When UXers create user journeys, they almost never include the security portion of the journey

Users increasing use the forgot password flow automatically, rather than remembering assorted passwords

How easy is your forgot password flow? Factor that into the user journey, it’s going to happen to about everyone!

SUX Metrics

  • Use these as metrics to improve user experience
  • How many SUX related error messages is the system issuing a day?
  • What are the most common messages?
  • The reset-password pages are often a top pages on a site! Make sure you are counting everything
  • What % of reset requests are being fulfilled?

Fixing SUX

  • If it’s not usable, it’s not secure!
  • We choose to burden the user or the system
  • We can deliver VIP class experiences that delight users by spreading the burden and embedding as much as possible
  • We can innovate to create better, safer experiences for our users and orgs

Throughaway thought: The IoT is just other people’s computers in your house.

About Jared (from his site): 

Jared M. Spool is the founder of User Interface Engineering and a co-founder of Center Centre.

If you’ve ever seen Jared speak about user experience design, you know that he’s probably the most effective and knowledgeable communicator on the subject today. He’s been working in the field of usability and experience design since 1978, before the term “usability” was ever associated with computers.

Jared spends his time working with the research teams at the User Interface Engineering, helps clients understand how to solve their design problems, explains to reporters and industry analysts what the current state of design is all about, and is a top-rated speaker at more than 20 conferences every year.

With Dr. Leslie Jensen-Inman, he is starting a new school in Chattanooga, TN, to create the next generation of industry-ready UX Designers. In 2014, the school, under the nickname of the Unicorn Institute, launched a Kickstarter project that successfully raised more that 600% of its initial goal.

He is also the conference chair and keynote speaker at the annual UI Conference and UX Immersion Conference, and manages to squeeze in a fair amount of writing time. He is author of the book Web Usability: A Designer’s Guide and co-author of Web Anatomy: Interaction Design Frameworks that Work. You can find his writing at and follow his adventures on the twitters at @jmspool.












Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s