UX tip: Design should make clear which security choice is safer

Better user experience has even started to reach into security.
It had always been that security was the more austere, severe side of the internet, with warnings that pop up as strange and severe. Error 403: Forbidden.

In Google Chrome’s early days, Adrienne Porter Felt, a security researcher and software engineer on Google’s security team, says the browser didn’t manage much more than to tell you you’d screwed up when you hit a security error and it wanted you to turn back.
“I’m not just picking on my own product,” Felt said at a recent Etsy Code As Craft talk. “You see this on Microsoft and Facebook, too. They show you security warnings and it’s not always clear what you should do.”
Google has realized that this is less than helpful — especially if keeping the web secure is in their interest as well as yours. So, the team at Chrome has been working to come up with friendlier, more helpful user warnings.
Here are a few takeaways from Felt’s talk:

• When possible, telling users how to fix an error will make them feel better than just advising them to turn back.
• For security warnings to be actionable, they have to be self-diagnostic.
• Help forums can actually be a fast way to find the easy fixes. Users will post problems they are having and other users will share solutions. This can help to find the broadest problems.
• Chrome was able to deal with about 20 percent of errors by diagnosing problems with users’ clocks and their WiFi connections.
• Candy Crush Saga is a security problem. Many SSL errors are the result of clocks set wrong, because changing clock settings is a hack to get more out of the game before it locks you out.
• Chrome will soon give users the option to upload information about their computer’s state at the moment of an error, so they can diagnose more of the trickier errors.
• Another way to keep users safe was to strongly suggest the more secure action. This is called “opinionated design.” That is, Chrome makes it clear what it thinks you should do.
  
  

  An opinionated SSL warning. The friendly blue box shows the right choice.

• With A/B testing, Google engineers found that design was definitely more powerful than text in achieving the more secure action. “Basically, just by looking — without even reading — you should be able to tell what Chrome is recommending,” Felt said.
• Chrome users are currently taking what Google believes to be the more secure action 62 percent of the time because of opinionated design.
• Go deeper on this topic with Felt’s slides.

You can watch the entire presentation on Livestream: