Disclaimer: this is a post written as part of my “ethics & digital world” course when COVID-19 first hit and classes were moved into distance format. It may contain heavy banter. The topic for that week was “Usability”. Original post here.
Usability. A critical aspect few pay attention to unless it causes them a headache. Good user-experience (UX) is often overlooked unless innovative, however mistakes in usability and UX are frowned upon, and they consciously or unconsciously shape our way or decision of using a product.
Good application design is good for productivity, avoiding support down the line and for the general user satisfaction, and also appeals to a wider audience, removing limitations caused by accessibility or understanding. In contrast, unintuitive or downright obtruding interfaces can cause users to not be able to complete their actions, make wrong ones or get so frustrated they quit the platform altogether.
The more critical the use and field of a product and the more extensive the control given to a user, the higher the importance of good interfacing and usability. One of the highest stakes online activity is electronic banking, which goes hand in hand with authenticating.
When banking enters the game, Switzerland and Luxembourg are not far away. UBS won’t be getting a Golden Raspberry today though, as their digital banking deserves a whole post on its own. Instead, it will be LuxTrust walking down the carpet.
LuxTrust (LT) is a Luxembourg-based company providing authentication and security tokens for high-stakes Luxembourgish services. At first it was banks, however it has become the national way of electronic authentication, analogous to the Estonian ID-card.
As a disclaimer, while aesthetics do not necessarily correlate to usability, they are often linked in some ways, even if only by motivation of the developers. In the case of LuxTrust, Checkov’s gun is honoured. Their website lays questionable UX on the table, and the services provided make extensive use of it.
At first there was nothing. Taking that into account, it was a quite significant when LT came out with their signing token. You press a button, it displays a code. You can then use that code to authenticate yourself. The token was particularly vulnerable to the desync issue, which happens when the button is pressed multiple times and none of the codes are used, causing the server and token to become desynchronised. While unfortunate, it’s not unheard of, so it can be blamed on the user and the company forgiven.
An elegant weapon for a more civilised age.
Then came the mobile authentication. No, it’s not SMS. In all honesty, it is infinitely superior to SMS, because not only is it invulnerable to SS7 attacks, it is invulnerable to any form of tampering. In fact its security is so good you can’t even use it to authenticate yourself. The first time you try to pair your phone’s app with your account, you blame it on yourself. Then you try again, and it still doesn’t work. You then go to your account to remove the bricked devices, however there is no option for that. You can pair up to three apps, however you can’t remove any. Contact support? They can’t do it either. That’s how good the security is.
Later came some scanning, smartcard and signing stick features, which did in fact work, and quite well. However there’s no use for them to work if you can’t log in to your account. Indeed, when you create your password, you can submit it without any form of validation. Except, once you try to log in, the form won’t let you input over 12 characters, even if your set password was longer and you had no way of knowing that (it will also refuse your six character password where you converted an “a” into “@” for maximum security).
You’re locked out, angry, and decide to reset your password. Except to do that you need to use an initial password as well as initial username that were sent to you by SMS upon creation of your account. Mind that if you lose access to both of these, you essentially need a new identity to request the service again.
The key takeaway is that major banks almost moved away from using LT’s services, and many users were angry. To this, all LuxTrust said in response was “Nobody has cracked the system yet”. They did improve in the end, and while the service as a whole is still janky at best, it works reliably now and remains uncracked.
Microsoft did some good design, can you believe that? Continuing on the topic of two factor authenticators (2FA), ease of use that doesn’t come at the cost of good security is essential to develop a trusty user-base and guarantee smooth working.
The application has a straightforward user interface, and upon opening it, you are prompted with a screen having all your accounts with their codes. You can tap on a caret to show / hide the code, which is a great privacy feature, and allows to save some screen real-estate, and if you tap on the code when it’s shown, it’s copied to clipboard. If the code is hidden, the user can tap and hold for one second for it to be copied.
Microsoft’s authenticator makes use of (optional) cloud syncing, which was previously pioneered mainly by Authy (another 2FA), Microsoft account integration as well as company integration, disabling and enabling in-app screenshots (on Android) and comes with a built-in screen-lock.
The account integration allows the application to show popups with a confirm dialog when a Microsoft service needs to verify your identity, and based on phone usage and sensitivity of the request, there might be a requirement to tap on one of three confirmation codes, to match the one displayed on the website. If app-lock is enabled, the user may be prompted to provide their passcode or biometrics to confirm the request as well.
What makes this stand out over Google’s one-tap for Android phones, is that it’s integrated within the authenticator itself, and is a lot less invasive: you can dismiss the notification or ignore it, and you can request the app to recheck for them after until the server timeouts.
For non Microsoft accounts, there is an easy way to rename them, and all accounts can be easily rearranged by simply dragging them up or down. Clean, simple, elegant with all the core features you’d expect but no extra bells and whistles.
Clean user interfaces and intuitive user experience facilitate the use of the app, and significantly improve reliability. Both these contribute to increased trust and implementation in critical applications where hickups are likely to cause harm, be it to the image, or to assets of a company / user.
Hopefully the disaster that was LuxTrust not many years ago serves as a lesson to not only other authentication services, but any interface or application designer, reminding all of us how crucial good design really is. A lot can also be learnt from Microsoft whose application is successfully used by large companies relying on their services, as well as many users who might not even be using them or the Windows operating system.
As to why good design often goes unnoticed? Intuitiveness and thus “invisibility” is the key foundation of great user experience, so the next time you use an application and don’t experience inconveniences or hickups, think to yourself “nice”.