Heidi Trost: Human Centered Security - Design Better

Summary6 min read

Podcast Summary: Design Better - Episode Featuring Heidi Trost on Human Centered Security

Podcast Information

Title: Design Better
Host: The Curiosity Department, LLC (co-hosted by Eli Woolery and Aaron Walter)
Description: Design Better explores the intersection of design, technology, and the creative process through conversations with inspiring guests across various creative fields. The podcast aims to help listeners hone their craft, unlock creativity, and master the art of collaboration.
Episode Title: Heidi Trost: Human Centered Security
Release Date: March 25, 2025

Introduction to the Episode

In this episode of Design Better, co-hosts Eli Woolery and Aaron Walter engage in a profound discussion with Heidi Trost, the author of "Human Centered Security: How to Design Systems that Are Both Safe and Usable." Heidi brings a unique perspective to the table by merging her expertise in user experience (UX) research with cybersecurity, challenging the conventional notion that humans are merely the weakest link in security infrastructures.

Guest Background and Motivation

Aaron Walter introduces Heidi Trost, highlighting her recent publication and her focus on designing secure and resilient systems without solely blaming users for security breaches. This conversation stems from shared frustrations with the cumbersome aspects of security implementations, such as password recovery systems, even within well-designed platforms like Apple.

Notable Quote:

Heidi Trost [00:02]: "You have kind of the user's focused attention during onboarding and setup, and their decisions at this point in time could mean whether or not their account gets compromised later."

The Complexity of Designing Security UX

Heidi delves into why crafting a user-friendly security experience is challenging. She outlines a dynamic ecosystem involving three primary players:

Alice (End User): Interacts with the system and makes security-related decisions.
Charlie (Security UX): Represents the security mechanisms that can sometimes hinder Alice’s experience.
Threat Actors: Seek to exploit vulnerabilities by manipulating Alice.

Heidi explains that the interplay among these players creates a constantly evolving landscape where improving security measures often leads to new challenges.

Notable Quote:

Heidi Trost [07:01]: "The design of the system influences what Alice does. What Alice does influences what the threat actor does. It's this constantly changing ecosystem that's very dynamic."

Scope of Security in UX Design

When discussing the broader scope of security beyond just login experiences, Heidi emphasizes that security impacts every stage of the user journey. From initial interactions like reading privacy policies to ongoing activities such as setting up two-factor authentication, each touchpoint presents opportunities to enhance or weaken security.

Key Points:

Onboarding and Signup: Initial setup is critical as users make decisions that affect their long-term security.
Password and Authentication: Challenges with password complexity and the integration of password managers can hinder user experience.
Ongoing Interactions: Regular tasks like account recovery and responding to security alerts are pivotal moments where user experience can significantly impact security outcomes.

Notable Quote:

Heidi Trost [10:14]: "UX security impacts end users at every part of the user journey, right? So if you think about when users are considering even using or buying your product, they're reading your privacy policy... these are places where you're making security and privacy choices."

Metrics and Frameworks for Measuring Security UX

Heidi introduces Adam Szostak's threat modeling framework as a foundational tool for assessing and improving security user experiences. The framework involves:

Define What Security and Privacy Mean: Establish clear definitions tailored to the product and its users.
Identify High-Impact Areas: Focus on touchpoints like signup, login, and personal information handling where security decisions are critical.
Assess Potential Risks: Analyze what can go wrong at each touchpoint from both user and threat actor perspectives.
Collaborative Problem-Solving: Use "How might we" statements to foster cross-disciplinary collaboration in finding solutions.

Notable Quote:

Heidi Trost [19:56]: "Remembering the security user experience is not something that we want to tackle all by ourselves. It's a cross disciplinary collaboration, cross disciplinary effort."

Enhancing Cross-Disciplinary Collaboration

Heidi stresses the importance of integrating insights from various teams—UX, security, engineering, and legal—to create a balanced and effective security strategy. She advocates for early and continuous collaboration to ensure that security measures are both robust and user-friendly.

Key Strategies:

Early Involvement: Engage all relevant teams from the outset to align objectives and understand constraints.
Ongoing Communication: Maintain open channels between teams to address emerging security challenges collaboratively.
Balancing Security and Usability: Strive to protect user information without imposing unnecessary friction in the user experience.

Notable Quote:

Heidi Trost [15:11]: "You have to find that balance of we're protecting information, right? And by protecting information, we're protecting humans."

User Testing in Security UX

Addressing the difficulties in user testing for security features, Heidi offers practical advice:

Leverage Secondary Research: Utilize existing studies in usable security and privacy to inform your testing approach.
Incorporate Security Observations in Non-Security Studies: Integrate security-related questions and observations into general UX research to avoid influencing user behavior.
Utilize Internal Insights: Gather feedback from customer-facing teams like customer success and product management to understand security pain points.
Ethical Considerations: Ensure that security testing does not negatively impact users or make them feel compromised.

Notable Quote:

Heidi Trost [24:41]: "Security and privacy issues have like visceral impacts on people. ... You want to leave your participants better than when they started."

Understanding Passkeys vs. Traditional Passwords

Heidi explains the concept of passkeys as an alternative to traditional passwords, emphasizing their potential to enhance both security and usability. Passkeys utilize biometric authentication methods or device-based authentication to streamline the login process, reducing the reliance on complex and often forgotten passwords.

Key Points:

Passkeys: Authenticate using the same method as device login (e.g., facial recognition, fingerprint).
Advantages: Simplifies the user experience by eliminating the need to remember multiple passwords.
Challenges: User confusion and lack of awareness hinder the adoption of passkeys, despite their benefits.

Notable Quote:

Heidi Trost [29:08]: "A passkey might actually be the best option for her [Alice], might actually be a more usable option for her. But she's looking at this prompt and being like, I don't even know what this is."

Personal Insights and Inspirations

Towards the end of the episode, Heidi shares her personal reading and viewing preferences, highlighting a shift from security-focused literature to more diverse genres like science fiction. She mentions enjoying "Hail Mary" by Andy Weir and watching the series "Severance," which enrich her creativity and provide a balanced perspective outside her professional focus.

Conclusion and Further Resources

Heidi Trost concludes by directing listeners to her LinkedIn profile, where she publishes a weekly newsletter, and her podcast, "Human Centered Security," available on major platforms like Apple Podcasts and Spotify. She emphasizes the importance of continuous learning and cross-disciplinary collaboration in advancing both security and user experience.

Notable Quote:

Heidi Trost [32:09]: "LinkedIn is probably the best place to find me. So I publish a newsletter on LinkedIn just about every week."

Final Thoughts

This episode of Design Better offers a comprehensive exploration of the intricate relationship between user experience and cybersecurity. Heidi Trost provides valuable insights into designing security systems that are not only robust but also user-friendly, advocating for a holistic and collaborative approach. By addressing common pain points and proposing actionable strategies, Heidi equips designers and organizations with the knowledge to create more secure and resilient products.

For those interested in enhancing their understanding of human-centered security design, Heidi Trost's "Human Centered Security" is a recommended read, available through Rosenfeld Media.

Connect with Heidi Trost:

LinkedIn: Heidi Trost
Podcast: Human Centered Security

Support the Podcast:

Become a Premium subscriber at designbetterpodcast.com

End of Summary

Loading summary

Transcript38 lines

[00:02]
Heidi Trost
You have kind of the user's focused attention during onboarding and setup, and their decisions at this point in time could mean whether or not their account gets compromised later, or whether or not there is a potential entry point for attackers later on.
[00:20]
Eli Woolery
Designing a good security experience is hard. Every time I run into one of those security captchas that requires you to identify all the motorcycles and the tiled images, part of me wants to give up and surrender to our robot overlords, and the other part wants to throw my laptop out the window.
[00:36]
Aaron Walter
Our guest today is Heidi Trost, who just published a book called Human Centered how to Design Systems that Are Both Safe and Usable. And in her book, Heidi aims to help people who are tired of hearing things like humans are the weakest link. Instead, she wants to focus on designing more secure, more resilient systems. In our conversation, we spoke with Heidi about the metrics that we can use to measure the quality of the security experience, why the login password recovery system is just so broken. Even for companies that are good at UX design, and some ways to approach user testing for security, this is Design.
[01:16]
Eli Woolery
Better, where we explore creativity at the intersection of design and technology. I'm Eli Woolery.
[01:21]
Aaron Walter
And I'm Aaron Walter. At DesignBetter, our primary mission is to produce work that helps people like you refine your craft, improve your collaboration skills, and get inspired by the creative process of others. If you enjoy what we do here, the best way to support us is to become a Premium subscriber@designbetterpodcast.com subscribe. We'll return to the conversation after this quick break. The number one reasons designers leave a job is they feel they're just not growing. Great educational resources are essential to retain and nurture talent. That's why we've created Design Better for teams to inspire you and your colleagues growth in craft, creativity, and the art of collaboration. With a teams account, you and your whole team will get access to weekly ad free episodes. That's four episodes a month that inspire and Inform, released every Tuesday. You'll get invitations to our monthly AMA events where your team can ask questions directly to our former guests and industry experts. Plus, you'll all get recordings to every past AMA we've ever done. You'll get access to the Design Better library of books covering foundational concepts like principles of Product design and design thinking methodologies. And you'll receive our monthly newsletter, the Brief that compiles the salient insights, quotes, readings, and creative processes that we've uncovered on the show. In our conversations with experts and you'll get early and discounted access to our workshops like our popular AI and Design Thinking workshop. Your team will learn typography from Jonathan Heffler and Ellen Lupton, design history from Paola Antonelli and Paula Scher. They'll learn creative collaboration from Ed Catmull and John Cleese. They'll learn design leadership from Kate Aronowitz. They'll learn about prototyping from David Sedaris and Tony Fadell, design systems from Eileen Fisher and Brad Frost. They'll learn about AI and creativity from John Maeda and interface design from Matt D. Smith. If that sounds interesting, to learn more, just visit DBTR Co Teams. That's DBTR Co Teams to get your team the educational enrichment they deserve. And now back to the show. Heidi Trost welcome to Design Better.
[03:57]
Heidi Trost
Thanks for having me.
[03:59]
Aaron Walter
We're excited to talk to you because you've got a book out on a topic that we feel is underserved and under discussed. Your book from Rosenfeld Media is Human Centered Security and you are someone with a background in security. You've been thinking about security for a while, but you're thinking about it from a user experience lens, which is great because certainly a lot of engineers, infrastructure folks, think about this deeply. But let's be honest, most places just logging in, resetting a password, doing the basics of security, it's harrowing. It's just so painful. Before we jumped on the show here, Eli and I were just discussing that I was trying to change a password, an Apple ID password recently, and I tried probably 30 times and I was never successful. I was never able to complete it. And this is like one of the largest companies out there that is part of so many of our lives. So maybe you could just start from the beginning and tell us how you got into this space.
[04:59]
Heidi Trost
I've been building products for a long time. I have always been interested in cybersecurity, but I felt like, what do I know? I'm a UX researcher, I don't know anything about this space. But as I dug a little bit deeper and got more and more interested in this space, I realized, wow, this is really a user experience issue, just as you described, right? Like when I can't log in, when I get a phishing email or something that looks suspicious and I say to myself, is it legitimate? Is it deceptive? Like, I don't know. That's an experience with that company. When I have to enable two factor authentication, I know I should, but it's really, really annoying. And lots and lots of people love to tell me how annoying it is when I get an alert and I'm like, is this legitimate? What does this mean for me on a scale from meh to panic, Right? Unplug your device. Where should I be? What is the actual risk to me? What does it mean having to go through? I think in my book, I list out, like, almost 15 steps to actually kick an attacker out of your email if your email gets compromised. That's ridiculous. These are all user experience issues. And once I figured that out, I was like, I know how to solve this. This is my domain. This is something that I can help with. And that's when I really just got so fascinated and just went down the cybersecurity rabbit hole and never came back out.
[06:29]
Eli Woolery
There are certain things that, beyond the password recovery thing, which is almost terrible across the board, but even smaller stuff like these image captchas that you have to do, like identify all the motorcycles here. Why are you making me do work to get into something that's supposed to be my own thing? And why do you think it is that so many of these things? Obviously, there's a lot of constraints around security and technical problems, but why do you think kind of across the board? Even if a company like Apple, which is known for having typically good design across its products, why has this particular arena seemed to be kind of untouched.
[07:01]
Heidi Trost
By design security and designing the security user experience is a very complicated problem. And the reason that it's complicated is there are kind of like three main players in this ecosystem. So you have your end user, and I like to call her Alice. I personify her as Alice. And then you have the security user experience, which I like to personify as Charlie. And then you have threat actors, which often designers kind of conveniently forget or ignore just because it's not part of their domain. Now, Alice is influenced by the system design. Designers know this, right? The most prominent thing on the page is something that the user is going to look at, influences their behavior. But often Charlie is, especially in the security user experience. So again, I'm personifying the security user experience as Charlie. Charlie's like that annoying coworker who's like, Alice, Alice, Alice. And is like, you know, knocking on her door constantly and is confusing and is not helping Alice accomplish the goals that she wants to accomplish. Often Charlie is a roadblock in the way from Alice trying to accomplish her goals. Sign in, put in this passcode, right? Find the authenticator app out of the 20 that you have downloaded and try to figure out which one this one is. Associated with your account. So often Charlie is very, very unhelpful to Alice. And then, like I said, you have the threat actors. The threat actors are trying to figure out any way they can manipulate Alice. They can trick her into doing something, they can coerce her, trick her to get to their end goal, which typically is financially motivated. So you have this dynamic, and it's almost like a ping pong. The design of the system influences what Alice does. What Alice does influences what the threat actor does. Because the threat actor is like, I know what Alice doesn't know. I know how I can trick Alice. And now that the system's designed this way, I'm going to just figure out a new way to do it. It's this constantly changing ecosystem that's very dynamic. And like I said, everything that changes on every player in the ecosystem impacts and is influenced by one another. So trying to design within something so dynamic is very difficult because everything that the organization does, the threat actor, is going to find a way around it. Everything that the organization does, Alice, is going to be like, maybe there's just an easier way for me to figure out how to do this right, and does things that the organization didn't expect. So that's like why it's so complicated, because you have these three players who are all influencing and are impacted by one another. Plus you have technology, you have socioeconomic issues. All those types of things are making it a very complex ecosystem.
[09:49]
Aaron Walter
Walk us through the scope of this, because I think that's something that designers maybe struggle to understand a bit, is if you're getting into deeper thinking about how you can improve the design, the user experience of security. Probably most designers think, okay, let's design a better login experience. But it's a lot of different pieces. What you just described is a far broader scope. So how could we think about the scope of security?
[10:15]
Heidi Trost
UX security impacts end users at every part of the user journey, right? So if you think about when users are considering even using or buying your product, they're reading your privacy policy, or you're saying things like, we really value security, we really value privacy. And users are thinking, first of all, what does that even mean? And second of all, you're saying this a lot, so should I be concerned, right? Like, they have these reactions. So even, like the way that you're wording your privacy policies, even the things that you say on your marketing website are impacting the security user experience, they're setting the expectations of your users. Can I trust you? Should I trust you? Like, I Didn't even think about the fact that you were going to sell my information. Oh, thanks. Now I am. So that's one place during signup and onboarding. These are places where you have the user's very kind of like wrapped attention and they're very, very important places, especially onboarding, where the security user experience kind of bubbles to the surface and impacts Alice and it's where she's making security decisions that could impact her and her security and safety later on. When you're signing up for a service, these are places where you set a password and hopefully a complex password. This is a place where you're using your password manager or not if it's difficult to use. This is a place where you're setting up two factor authentication or not, if it's not even mentioned. These are places where you're making security and privacy choices. So you're going through this onboarding screen that says, do you want to share whatever? Then the next screen, then the next screen. And those decisions follow you throughout your relationship with the organization. I spend a lot of time here because really you have kind of the user's focused attention during onboarding and setup. And their decisions at this point in time could mean whether or not their account gets compromised later or whether or not there is a potential entry point for attackers later on.
[12:26]
Aaron Walter
Let's double click into this because this is interesting. So just to reflect back what I heard, you talked about the signup process, of course, there's sort of like login and recovery processes, there's privacy statements, how your information is going to be used. That's a great overview. A lot of times there are good intentions that go into the design of these elements. For example, when you create a password, as you were just describing, we would like you to use uppercase and lowercase and some special characters. And then when I go to use my password manager, well, you can only have 16 characters. Okay, great. I tried to auto generate something instead of something I would remember and write down. And these good intentions and the validation that is maybe off the shelf, some sort of framework or let's plug this thing in and build this into the system very quickly, ship it quickly. It actually makes our choices less secure and far more complicated to just do the right thing. Two questions here. Why is that and what can we do about that?
[13:34]
Heidi Trost
I think there are multiple reasons why sometimes, like you said, the organization is trying to follow a framework or a set of best practices. NIST has a set of best practices and they actually just updated their password guidelines. Maybe they're using the old guidelines, they're using a standard that doesn't necessarily reflect the current way of thinking, the current research around people and how they use passwords. That could be true. There are several applications I use that I look at them and I'm like, you clearly built this 10, 15 years ago and you never updated. Reflects the old paradigm, the old way of thinking about passwords, there's the trying to integrate with different password management tools, with pass keys, with all of these different technologies. And, and I would say, just to be completely frank, the signup and login, it's not a place where people like want to spend a whole lot of time. Like it's not like cool and sexy.
[14:40]
Aaron Walter
And yet it's the showstopper. Like if, if there were like a server down and It's Friday at 5:00, you don't get to go home, you've gotta go fix that. And this is the equivalent of like a UX all hands on deck moment. If people can't log into your product, your platform, you don't get to go home Friday night. We got to fix this. And so I don't know why this is such a persistent issue that people just don't really take time to consider.
[15:12]
Heidi Trost
Well, one of the things I talk about in my book is the need for cross disciplinary collaboration. So another thing that I thought of as you were talking, I'm going through this with a team right now is one of the security standards that they want to be compliant with has password requirements and has a requirement that it's basically like a set of guidelines that users be logged out of the system after a certain period of inactivity, which you've probably encountered, right? It's like absolutely annoying if it's like I went to the bathroom and now I'm logged out. So teams are trying to be compliant with a set of standards that are just kind of generic and don't necessarily make sense. And like, let's be honest, probably weren't, you know, designed with humans in mind, right? Like end users, they were designed with security in mind. And if you're just looking at security, like it sort of makes sense, right? Lock people out if they walk away from their desks. What I want to advocate for is if you think of a Venn diagram of like, so we have like the UX team, we understand our users, the security team understands security, the engineering team knows what's technically possible and the constraints with our system. And all these other teams, it's not just them, but I'm calling them out because it just makes a very neat Venn diagram. You need all of those folks to overlap. You need those perspectives to overlap to improve the security user experience. UX cannot do it alone. You can't just have an open door and have that even be a good experience, right? So like, if you take it to the other extreme and people are having their accounts hacked, that's not a great experience either. So you have to find that balance of we're protecting information, right? And by protecting information, we're protecting humans. So it's information security, but we're protecting information because we care about people. So going back to my Venn diagram, security UX knows the human aspect, Engineering knows what's technically possible. Those people all need to be talking and collaborating to improve the user experience. It is not just in the domain of one. And all too often getting back to your original question, often it's like security's making the decision and it's just like, nope, security, that's it. Or UX is like, wait, what about us? But you're not making a compelling enough argument. You're not establishing those relationships with those teams early on to really have the impact that you want want. So I unfortunately think that there's a lot of that and unfortunately I think there's a lot of let's just move fast and like ship this and get it out the door. And there's either very little consideration about security or there's very little consideration about usability.
[17:57]
Aaron Walter
We'll return to the conversation after this quick break.
[18:03]
Meredith Black
Hey there. I'm Meredith Black, co founder of Design Ops assembly and formerly of Pinterest and Figma. I co host a podcast called Reconsidering alongside two of the design world's most respected voices. Bob Baxley, formerly of Apple and Pinterest, and Aaron Walter, co host of this very podcast Design Better Reconsidering is a show about looking at the big questions and challenges that we face in everyday life. With a fresh perspective, we dive into topics like building a fulfilling career, navigating tough conversations, making meaningful friendships as adults, and even handling life's biggest transitions like illness and loss. We bring in authors and experts to provide actionable advice and thoughtful guidance to help us all develop the skills needed to thrive as well rounded and healthy adults. We spoke with New York Times best selling author and TED speaker Dan Pink on the power of regret and how we can make smarter decisions to deepen our sense of meaning and purpose. And Tina Roth Eisenberg, the founder of Creative Morgan Mornings, joined us live to talk about the importance of creating community and friendships. It turns out it has a huge impact on longevity and the quality of your lives. And we spoke with MIT professor of philosophy and best selling author Kiran Setia about facing life's inevitable hardships in which ancient philosophers can teach us about living the good life. We explore so many topics and we'd love for you to give the Reconsidering podcast a listen. Listen and subscribe@reconsidering.org that's reconsidering.org or find us wherever you get your podcasts. Reconsidering.org.
[19:32]
Aaron Walter
And now back to the show.
[19:39]
Eli Woolery
If you're on a team and you have an existing product and you want to do, say an audit of your security ux, are there metrics or frameworks you can use? And also can you use that to also get alignment with these other teams that you were talking about security and engineering?
[19:57]
Heidi Trost
I think this needs to be a cross disciplinary effort through and through. Yes, it's more difficult to do it that way, but you literally cannot improve the security user experience alone. Right? Like at some point the legal team or the security team is going to be like, no, you're not doing it that way. So you're going to end up having to talk to them. You just might as well talk to them early rather than later. In terms of thinking about different frameworks, the way that I like to look at it is first of all, be really clear on what security or privacy means for your team. You would be surprised at how many organizations the security team technically knows what security means, but what does that mean for your product and for your users going through that exercise, which I think the UX team is really capable of leading that conversation, that's step one. What are we even working towards? And then focusing on those places that I was describing earlier, I didn't actually get through my list because it's a long one of those places where you'll make the most impact. So sign up onboarding login. When Alice is asked for personal or financial information, when she has to make security or privacy related decisions, when you're communicating a security issue, so she gets an email that says a new browser has signed into your account, you know, and she has to decide, is this legitimate? Is this deceptive? And what do I do about it? Like, what does this actually mean? So when Alice has to decide who and what to trust? And maybe the last thing that I'll tack onto this is increasingly the products that we're building will influence the physical world. So being really mindful of the decisions that Alice makes is going to potentially influence the physical world. So whether it's like smart glasses or it's like a garage door opener, thinking about both security and safety when it comes to those different products. Okay, so define what security and privacy mean for your product, for your users. Then focus on the places where you make the most impact. Then thinking about, okay, in those places, what can go wrong? In the framework that I use and that that question is part of is Adam Szostak's threat modeling framework. So his threat modeling framework says, what are we working on? What can go wrong? What are we going to do about it? And did we do a good job? Super simple, but super, super helpful in terms of trying to unpack all the different things that can go wrong and getting your team aligned on how you're going to find a solution. The way that I like to look at it is I try to look at it from what can go wrong in terms of what Alice is thinking. I try to pose everything as questions. She's going through the onboarding process for the first time and she's getting onboarding screen after onboarding screen after onboarding screen, asking her these different questions, a lot of them related to security. She's saying, what does this even mean? There's so many questions. I'm just going to go ahead and I'm just going to check whatever default there is and just get on with my life. So I like to, you know, kind of list and document the different objections that Alice might have, different questions that she might have, where she might be like, like I don't care. I, you know, I don't understand. I'm not going to bother with this. And then I list out what the threat actor might be thinking or doing in that particular situation. So the threat actor's thinking, awesome. So glad Alice is confused. I'm going to take advantage of that. Or that's awesome. That that security setting is super error prone and probably something that Alice is going to overlook. I'm going to look for that place in the system where I can take advantage of that. So at every point in those moments in the user journey, I try to channel my inner Alice and then channel my inner threat actor and pose those as questions. And then designers, you can think about how might we, right, like leverage things like how might we statements and pose that to your cross disciplinary team. Remembering the security user experience is not something that we want to tackle all by ourselves. It's a cross disciplinary collaboration, cross disciplinary effort.
[24:04]
Aaron Walter
How do we Think about user testing with security. You can see the frustration. You can really see the frustration when people get lost. The trouble is, you know, for most user testing, there's a clear scenario that you can plan and say like, okay, I want you to go in here, upload a photo, change your profile, do these things. But a lot of security things, there's either A, sensitive information, B, it's sort of hard to recreate a scenario. How do you approach user testing that can create a convincing argument in your team? We've got a problem to solve here.
[24:41]
Heidi Trost
I think you should do several things. First of all, I think you should leverage secondary research as much as you possibly can. There's a lot of research in the usable security and privacy space that you can leverage at least as a starting point. Are they your users? No. Are there limitations with academic research? Absolutely. But at least it gives you a starting point and it's worth looking into that, especially for things like as large as, like login and that kind of thing. Captcha is like that sort of thing, like all that stuff has been studied before. So leverage secondary research. The other thing that I recommend teams do. So remember, if you are doing user research on security, you run the risk of influencing people's behaviors, right? Like you might be making them think about security more than they normally would, or they might not act normally because they feel like this is a safe setting and like nothing possibly bad could happen to them. So they might actually do something less secure. So you have to account for, for that because that's such a big issue. My recommendation is trying to gather as much security related user research from studies that don't have anything to do with security. And I know that this is effective because it's what I did on my teams. Let me give you an example. We would be conducting user research on onboarding, trying to optimize our onboarding flow. And people would naturally talk about the passwords and the instructions around like the complexity and things like that. Or you know, they would walk us through logging into their own account and we would see, you know, these challenges that they encountered. We weren't testing for that. Like we weren't testing anything related to choosing a unique complex password. We weren't testing these different error messages that they ended up encountering. Like none of that was part of the research, but it just naturally happened. And we added those things into our research repository, tagged them as security issues. And then when we wanted to consolidate all of that information, we had that at our disposal to say actually like, we know that this is happening. Or if like there was enough kind of troubling things, we could say, oh, we want to, you know, focus a specific study on this or try to gather more information about this. The other thing you can do is leverage the people in your organization who are very close to your customers, but you might not be talking to those users on a regular basis. So like your customer success managers, for example, or even like your product managers, like those people might see and hear things that you wouldn't normally see and hear on a day to day basis. So I think trying to pull information from a variety of different places and again, being very cognizant that you might be biasing people if you do security specific research. So try to as much as possible get that information in studies that you're already doing. Right. It's kind of a win win.
[27:50]
Aaron Walter
So oftentimes with psychology tests, they'll tell you that they want you to do this. We're looking at this, but they're actually looking at your reaction. I wonder if you've ever seen user testing where they say, we want you to upload a photo and behind the scenes someone has intentionally expired your password so you have to force them to walk through that. Is that a scenario that you've seen people do?
[28:13]
Heidi Trost
Oh yeah, that's definitely done all the time. The one thing that I will say is to just be very cognizant of how your user would feel in a particular situation. I talk about this in my book. Security and privacy issues have like visceral impacts on people. And if they feel like their information is compromised or something bad has happened, it is not worth doing that study. It is not worth putting people in situations where they're going to feel negatively impacted. You know, you want to leave your participants better than when they started. So I will just give that as a caveat to just be very, very mindful of the situations that you're putting putting people in and to never make them feel like their information is compromised in any way or they're in any way put in a bad situation.
[29:02]
Aaron Walter
Tell us what a passkey is. What is a passkey compared to, you know, the traditional password approach.
[29:08]
Heidi Trost
So like say you wanted to log into your bank. You, instead of entering a password, you are going to authenticate using the same method that you use to authenticate to your device. So if you're on your phone, you might just flash your face in front of the screen, right? And it's going to authenticate that way. If you're on a computer, maybe you're Using biometrics, like a thumbprint. Right. Or you could be entering the password that you use to authenticate to your device. Right. So there could be a password involved if that's what you're using to authenticate to your device, but it'll be the same one over and over again. So that's how passkeys work.
[29:47]
Aaron Walter
You know what's interesting is I've been in the software industry for a couple decades. I didn't know that. I didn't know what a passkey was. I see so many different kind of major products, major platforms asking to start using a passkey. And I don't say yes because they never tell me what that is. I don't know what I'm getting into.
[30:08]
Heidi Trost
The FIDO alliance, it's fast Identity online. I interviewed them for my podcast and they came up with a set of guidelines for different organizations to use. Because of this problem that you're explaining. If you're just like, hey, like, create a passkey. And you're like, I don't know what that is. Like, why? And this is exactly the problem that I was describing earlier with Alice, right? Like, a passkey might actually be the best option for her, might actually be a more usable option for her. But she's looking at this prompt and being like, I don't even know what this is like, so why would I waste my time doing this? So thank you for perfectly illustrating, like, why something that actually might be good ends up not being implemented. Because someone's confused, they don't know what it is. Is this less secure? It kind of seems weird. Never heard of it before. There's all of that.
[31:01]
Eli Woolery
What are you reading or watching or listening to right now? And it doesn't have to be security or work related that's inspiring you or that you're enjoying.
[31:10]
Heidi Trost
When I was researching my book, I probably bought 50 security and privacy related books. So for like two years, that's all I read. I didn't read any fiction. I just read security books. I was like super fun to talk to at cocktail parties. So now that my book is actually out, I like to read science fiction and that's what I'm really excited about. So I just finished last night. Hail Mary. I don't know if you guys have ever read that. So that was super fun. A little alien, a little space, a little the world might come to an end, you know, type of vibe. So that was really fun.
[31:44]
Eli Woolery
Andy Weir, right? Is that. Yes.
[31:46]
Heidi Trost
And I love, I'm watching Severance right now. So that's been super, kind of like mind blowing and very interesting. That's what I've been watching and reading lately.
[31:55]
Aaron Walter
Well, fantastic, Heidi. The book is called Human Centered Security. It's out now from Rosenfeld Media. That's rosenfeldmedia.com you can find the book. Where can people learn more about you? Are there other places we can go?
[32:09]
Heidi Trost
LinkedIn is probably the best place to find me. So I publish a newsletter on LinkedIn just about every week. The other place is my podcast, which is called Human Centered Security and that's on Apple Podcasts. It's on any place Spotify, any place you listen to podcasts.
[32:26]
Aaron Walter
Thanks, Heidi. Thanks for being on the show.
[32:28]
Heidi Trost
Yeah, thank you so much. I really appreciate it.
[32:36]
Aaron Walter
This episode was produced by Eli Woolery and me, Aaron Walter, with engineering and production support from Brian Paik of Pacific Audio. If you found this episode useful, we hope that you'll leave us a review on Apple Podcasts, Spotify or wherever you listen to finer shows or simply drop a link to the show in your team slack channel designbetterpodcast.com it'll really help others discover of the show. Until next time.