Security and Usability

Security and usability

In general, security and usability often come into conflict with one another. After all, security is designed to make things tougher for the bad guys and usually some of this spills over onto regular, non-malicious users, making their experience often less easy than it should be.

One good example of this is with authentication. Authentication is perhaps the cornerstone of most computer security systems and is a crossroads where security, usability and other important matters meet. Designing a good authentication system requires consideration of all these points if it is to be effective at keeping bad guys out while still allowing normal users access. However, a few simple steps can be taken to alleviate the burden that such systems place on users. As an example, I’ll look at online credit card payment.

Already a nightmare

Payment by a credit card online can already be a tedious process. First you have to enter a long 16-digit number, followed by another number (usually called the “security code” or CVC), and finally the expiration date. (For those using “Verified by Visa”, you may also have to enter a password after this process) Compounding this situation is the fact that many payment systems that accept credit card info are horribly designed from a usability point of view.

If you buy a lot of stuff online, you’ll know what I’m talking about. Some sites warn you “not to include any spaces” when entering the credit card number. As if entering a 16-digit number wasn’t tedious enough, but now you’re forced to enter it without any separators of any sort. Long sequences of numbers are notoriously hard to discern or deal with for most people, which is one reason why phone numbers are broken up into chunks of three or four numbers, and why your credit card number is broken up into four-digit groupings in the first place.

Requiring the user to enter in a string of 16 digits without any spaces just to satisfy a system requirement is a poor example of usability, especially when it’s trivial to just strip out spaces (or hyphens or any separators for that matter) on the server-side.

Keep it simple

Furthermore, many sites require you to enter the expiration date in using a drop-down menu that often lists the textual names of the months, instead of its numeric representation. While using the textual representation is probably better in most situations since this is how humans naturally communicate, in the context of credit card info, a numeric representation is preferred. Why? Simply because that’s how it’s been done on the credit card itself. When you force the user to choose the textual representation of a month when the numerical one is listed on the credit card, this in turn forces them to perform the translation in their head, slowing things down. While this may seem like a very minor point, the idea here is to make things as streamlined as possible.

There’s hope

Google Checkout

I recently used Google Checkout and was pleasantly surprised that they had implemented simple things like this to keep the purchase process as pain free as possible. Adding a credit card to use for a purchase was much easier than for some other online payment systems I’ve used. The card’s number is automatically formatted for you, adding dashes where appropriate, and not forcing you to enter the numbers in some specific way.

Furthermore, you’re not required to select what type of credit card you’re using. Google Checkout seems to automatically determine what type of card you’re using – MC, Visa, Discover or Amex – based on the number itself, highlighting the appropriate image icon of that card. Kudos to them for removing a potentially redundant step. Additionally, the expiration date is entered in the same MM/YY format as is present on the credit card itself. You simply enter in the digits, and it’s converted for you – no drop-downs required!

Google may may not be the perfect “do no evil” company anymore, but one thing I like about their services is that they’re often easy to use. Most of them are simple, and score high points with me for usability, and Google Checkout was no different. Here, they took a different approach to the task, resulting an optimal solution between security and usability. Basically, by using simple techniques to lighten the burden on users, they gained an increase in usability without having to trade away anything in security.

With all the good that Google Checkout is providing to its users, it’s a shame that eBay continues to forbid its usage on their site as a method of payment. This choice was obviously made to protect Paypal, the eBay-owned rival payment service to Google Checkout. Perhaps, and hopefully, things will change in the future.

Comments for this entry are closed

But feel free to indulge in some introspective thought.