User Experience Friction in Security is Real

Here’s how analytics can help manage it

There’s a delicate balancing act when it comes to access, the user’s experience and how much friction is added for security.

If there’s one area in software where we need to dynamically modulate user experience friction (UXF), it’s in security. And for good reason. While we always want to provide a great user experience with as few security check points as possible, sometimes there’s a need for additional authentication measures to ensure a user is who he or she claims to be. The trick is knowing when you truly need to step up authentication.

User experience friction – real and not-so-spectacular

According to Pfeiffer Consulting, UXF is basically the slow-down or friction that occurs when the user experience deviates from our expectation or knowledge.

When designing security features and introducing them into the user experience, we find ourselves in a delicate balancing act between security and accessibility. This tends to be a zero-sum game, with any incremental increase in security resulting in greater friction for the user to overcome.

Externalities like friction have been studied in economics, which provides us with at least some analogous wisdom. For instance, in the hypothetical scenario where we introduce incremental increases in production, what is the result? We introduce pollution, pure and simple. Efficient production comes at a cost.

Applying this to security gives us a corollary – if you want to have a secure user engagement, you’re going to have to accept some friction in the user experience. This brings us right back to the delicate balancing act of security and accessibility.

What if we could have it all – a great user experience with a stronger level of security – without the friction?

Analytics helps deliver a great experience and security, without the extra hurdles

Leveraging analytics in a security product has many benefits, but the potential for modulating friction doesn’t receive as much attention as it should, in part because friction is difficult to quantify and measure.

This is where analytics becomes particularly relevant, since there are two levers to pull – detection and mitigation.  Analytics can deliver a more granular understanding of which activities are relevant, and what mitigations are most effective for securing a given environment.

Before analytics we had simple trigger scenarios that queued step-up authentication; now we can adjust the trigger and the outcome with an informed, data-driven perspective.  Analytics effectively turns a friction “cliff” into a navigable, step-wise function which becomes even more manageable as our dataset increases.

Manageability can be a massive asset. Consider how much time and resources are wasted when a regular user needs continuous access to a privileged account to do his or her job. Instead of forcing users to re-authenticate every time they need to perform an action, we can leverage analytics to understand where that action lives on the spectrum of riskiness.

Perhaps it’s enough to observe and record what a given user is doing instead of dragging him or her through the friction-laden process of validating who they are at every step of the way. Now think about needing hundreds or thousands of users to re-authenticate. You can see how positive the potential impact analytics can have on overall security and accessibility.

As we build our security products, we’re constantly exploring innovative ways to balance security with the user experience. This is why CA Technologies has analytics as a core element in our security product strategy, making it available across our entire portfolio to operate invisibly in the background to deliver the intelligence needed to stomp out user experience friction when it comes to security.

About the author

Nickolaus Groh is a Sr. Principal Product Manager for the CA Privileged Identity Management and Privileged Access Management product lines. Prior to joining CA, he was the Principal Strategy Officer at RSA, responsible for managing market intelligence, M&A and technology integrations across the product portfolio.