Designing a good security experience is hard. Every time we run into one of those security captchas that requires you to “identify all the motorcycles” in the tiled images, we want to give up and surrender to our robot overlords…or throw our laptop out the window.
Our guest today, Heidi Trost, just published a book called Human-Centered Security: How to Design Systems That Are Both Safe and Usable. In the book, Heidi aims to help people who are “tired of hearing things like ‘humans are the weakest link’ and instead want to focus on designing more secure, more resilient systems.”
In our conversation, we spoke with Heidi about the metrics we can use to measure the quality of the security experience, why the login/password recovery is so broken—even for companies that are good at UX design—and some ways to approach user testing for security.
Bio
Heidi Trost is a UX leader who helps cross-disciplinary teams improve the security user experience. With a background in UX research, Heidi does this by helping teams better understand the people they are designing for, as well as the security threats that may impact people and systems negatively. Heidi is also the host of the podcast, Human-Centered Security, where she interviews security experts and people who design for the security user experience. When not thinking about security, you can find her in a sunny spot reading a book, hiking, or riding horses.
Premium Episodes on Design Better
This ad-supported episode is available to everyone. If you’d like to hear it ad-free, upgrade to our premium subscription, where you’ll get an additional 2 ad-free episodes per month (4 total). Premium subscribers also get access to the documentary Design Disruptors and our growing library of books, as well as our monthly AMAs with former guests, ad-free episodes, discounts and early access to workshops, and our monthly newsletter The Brief that compiles salient insights, quotes, readings, and creative processes uncovered in the show.
Visiting the links below is one of the best ways to support our show:
Masterclass: MasterClass is the only streaming platform where you can learn and grow with over 200+ of the world's best. People like Steph Curry, Paul Krugman, Malcolm Gladwell, Dianne Von Furstenberg, Margaret Atwood, Lavar Burton and so many more inspiring thinkers share their wisdom in a format that is easy to follow and can be streamed anywhere on a smartphone, computer, smart TV, or even in audio mode. MasterClass always has great offers during the holidays, sometimes up to as much as 50% off. Head over to http://masterclass.com/designbetter for the current offer.
Thuma: We’re the sort of people who can’t help but get lost in the details of creating a beautiful living space. A well designed home is a sanctuary for creative thinking. For those who revel in crafting a beautiful living space, Thuma offers modern furniture that transforms your home into a sanctuary for creative thinking.
Their timelessly designed beds, nightstands, dressers, and shelving are built from solid wood using Japanese joinery techniques for a silent, stable foundation, balancing form, craftsmanship, and functionality. With clean lines, subtle curves, and a minimalist style available in four signature finishes—and an upgradeable headboard—the Thuma Bed collection assembles in just about 5 minutes with a single hand-tightened screw, ensuring a durable piece backed by a lifetime warranty.
To get $100 towards your first bed purchase, go to http://thuma.co/designbetter.
If you're interested in sponsoring the show, please contact us at:
sponsors@thecuriositydepartment.com
If you'd like to submit a guest idea, please contact us at: contact@thecuriositydepartment.com
Insights from the episode
Below are some insights drawn from our interview with Heidi, including a framework for UX security improvement, and user reseach approaches for security.
1. Security is a User Experience Issue
Heidi emphasizes that security challenges are fundamentally UX issues:
"This is really a user experience issue... When I can't log in, when I get a phishing email or something that looks suspicious and I say to myself, is it legitimate? Is it deceptive? ... When I have to enable two-factor authentication, I know I should, but it's really, really annoying."
This reframes security from a purely technical consideration to one that directly impacts user satisfaction and product adoption.
2. The Security Ecosystem Has Three Key Players
Heidi presents a framework for understanding security design challenges:
"There are kind of like three main players in this ecosystem. So you have your end user, and I like to call her Alice... And then you have the security user experience, which I like to personify as Charlie... And then you have threat actors."
This dynamic triangle helps explain why security UX is so challenging - changes to any corner affect the others in a continuous cycle.
3. Security Impacts the Entire User Journey
Security isn't just about login screens:
"Security impacts end users at every part of the user journey... Even like the way that you're wording your privacy policies, even the things that you say on your marketing website are impacting the security user experience."
Especially critical is the onboarding phase: "You have kind of the user's focused attention during onboarding and setup. And their decisions at this point in time could mean whether or not their account gets compromised later."
