Cyberspace is a scary landscape, and it is becoming scarier each day. While people stay (mostly) the same, the technology keeps evolving. In this talk we’ll discuss this challenge - How can we utilize effective UX design to provide a safer online environment? What can we do to make people feel secure? Which techniques enhance online security, and which common practices are ineffective and should be discarded?
2. Ran Liron
Head of UX at CYBERARK
And also…
UX Mentor @Google Launchpad
UX Program Lead @ The Technicon, Continuing Education Division
Uxing for more then 20 years
2
3. Protecting Computer Systems
from theft and damage
Person's emotions and attitudes
about using a particular product,
system or service
Cyber Security UX
4. Protecting Computer Systems
from theft and damage
Person's emotions and attitudes
about using a particular product,
system or service
Cyber Security UX
5. Protecting Computer Systems
from theft and damage
Person's emotions and attitudes
about using a particular product,
system or service
Cyber Security UX
Protecting People (and computers)
from theft, damage and distress
9. 231 security experts Where asked:
The Result:
152 Security Advice…
Security Experts Recommendations
“What are the top three pieces of advice
you’ll give to a non-techsavvy user”?
Google research:
152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users
10. Password matters
Advice #2: “Use unique passwords”
Advice #3: “Use strong passwords”
Security Experts Recommendations
Google research:
152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users
11.
12. At least:
8 characters.
1 lowercase
1 Uppercase letter.
1 special character (!@#$%^&*)
1 number (0–9)
Common Password’s requirements
12
13. Common password display method:
The problem:
- Requiring strange, meaningless yet complex string
- The user never sees the password
So….
Very hard to remember.
Defensive Tools: Password
13
********
21. Only you know your own history
You don’t have to memorize it
Users will answer truthfully
If only we were …
Security Questions: The Assumptions
21
22. only you know your own history?
Security Questions: The Reality
Nope
22
23. Security Questions: The Reality
37% admitted to providing fake answers,
in an attempt to make them "harder to guess"
40% of our English-speaking US users
were unable to recall their answers
Google research – “Secrets, Lies, and Account Recovery:
Lessons from the use of personal knowledge questions at google”
34. Don’t torment your users -
Display all of the
password requirements
together
34
35. Password criteria:
Start with a letter
Include upper-case letter
Include lower-case letter
Include special Character (!@#$...)
Include number
at least 8 characters
Setting a password: Instructing the user
Set Password:
Confirm Password:
*******
********
Password criteria:
✘ Start with a letter
✘ Include upper-case letter
✘ Include lower-case letter
✘ Include special Character (!@#$...)
✘ Include number
✘ at least 8 characters
Nope!
Password criteria:
✘ Start with a letter
✔ Include upper-case letter
✔ Include lower-case letter
✘ Include special Character (!@#$...)
✘ Include number
✔ at least 8 characters
Password criteria:
✘ Start with a letter
✔ Include upper-case letter
✔ Include lower-case letter
✔ Include special Character (!@#$...)
✔ Include number
✔ at least 8 characters
Password criteria:
✔ Start with a letter
✔ Include upper-case letter
✔ Include lower-case letter
✔ Include special Character (!@#$...)
✔ Include number
✔ at least 8 characters
************************
35
36. A way to create passwords
that is both secured
And
easy to remember
And
has almost no requirements…
If only there was…
36
37. Try to remember this:
Now try this:
There is a way!
37
********
**********************
38. Try to remember this:
Now try this:
There is a way!
38
********
I love my fluffy bunny
39. Why passphrase is better then password?
Set Password:
***********************
We recommend to use a meaningful phrase.
You may use any character, include spaces.
Minimum 20 characters total.
For example: “I love my fluffy bunny”.
This is nice and simple
39
40. Why Passphrase is Better
Then Password?
Longer = More secured
Easier to remember =
More convenient AND more secured
40
45. Drive effective user behavior to increase security:
1. Don’t use security questions, nor CAPTCHA
2. Display all the password requirements together
3. Allow users to see their passwords
4. Promote using passphrases instead of password
5. Encourage users to keep their software up-to-date
Takeaways
47. Google research:
152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users
Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google
Are you a robot? Introducing “No CAPTCHA reCAPTCHA”
mozilla's blog: Exploring the Emotions of Security, Privacy and Identity
SogetiLabs Blog: UX & Security, Part 2: Account Registration
I’m not a human: Breaking the Google reCAPTCHA
Michael Mcintyr: Comedy Gala
Reference
47