The right time for security

What if the right time for security ceremonies, like resetting a passcode, was based on user activity and location?

The end of July and August flew by. My first summer free of Covid restrictions, meant wedding season and travelling. I hope you enjoyed yours too.

Before I begin - trigger warning, this post is about passwords.

The other day I was sat with a friend as they set up their new phone. They got to the “set up your passcode” part of the user journey, and looked up at me. They said, “At work we’re told it’s best practise to reset passwords every three months or so.” I could sense they were deliberating whether to make a new passcode now.

I thought, oh hell no.

If you have seen user research to do with changing passwords, you will likely have had a similar reaction to me. Ok, so changing passwords may increase security, but new passwords are really hard to remember. Especially when someone is having to do lots of things at once, like setting up a new phone.

The truth is that people often forget their new password. Because of this, people often try to make their new password more memorable by adding one digit to their old password. “Secret1” becomes “secret12” and so on, which defeats the purpose of the change. But in the case of a phone passcode, there’s a limit to the number of digits so users have to reset the passcode.

Alas, my friend chose to set a new passcode…

Then, they had to restart their phone.

But after restarting the phone needed their new passcode. Biometric entry was not an option.

They were logged out.

They could not remember their new passcode.

An hour passed. After so many wrong attempts, the phone began enforcing a timeout.

My friend’s frustration grew and at one point they contemplated throwing the phone out the window.

This is a classic story of un-useable security. Password renewal is a good idea in certain circumstances. For example, when someone else may know the password or if it has been stolen. But the timing of when you encourage a user to set a new password matters. When a user is busy, distracted, tired or multitasking is not a good time for security.

I wish that the phone’s user journey had helped my friend understand this. There were so many opportunities within the set up to use design to educate them about best practise. To help guide them through a new passcode set up in the safest and most user friendly way. The right time for security is, perhaps, not at set up. So, when is the right time?

The answer is that the right time for security is dependent on context. In the case of setting up a new phone, perhaps there could be a delay. What about 24 hours after set up? Based on activity and location the phone could select a time when the user is more likely to be free of distractions. Then the phone could help the user remember their new passcode through re-entry. The messaging App Signal often asks me to re-enter my PIN, and my bank card is the same. Both help me remember my PIN number by asking me to repeat it.

We can do more to help educate users about security. We can make user journeys safer and more empowering for users. We can consider the right time for security.

Footnote: Later that evening, my friend remembered their new passcode. Huzzah!
Sarah Gold
I'm a values driven leader working on redesigning trust in technology.