Woman using two factor authentication on laptop computer and mob
INSIGHTS - January 2023

How to Design Secure Apps Without Annoying Users

I think I speak for most people when saying security is tedious. It always has been. Ancient cities were surrounded with walls and gates that visitors had to pass through to enter the city, and you can bet everyone got tired of opening and closing gates. Digital security is exactly the same. It’s all about locking more gates than the attackers are willing to break through.

The challenge is the fine line between creating good security for your app, but not making it too difficult to access for the people that legitimately need it.

Build Bigger Walls

Over the past two decades, we’ve seen an evolution of ideas to increase security. None of them pleasant. Passwords became longer and more complex. Some apps enforced regular password changes. Password vaults like LastPass or OnePass are a good way to securely manage a lot of passwords. Although, LastPass was hacked recently …

Google moved from making us decipher some squiggly letters to recognising bikes, traffic lights and mountains, which was a great way to get the whole planet to teach it’s image recognition AI.

Now we have fun things like two-factor authentication (2FA) where you need to look up a code on your phone that changes every minute. It’s effective on a personal level, but becomes difficult in an office environment. We have an office phone just for this purpose.

Phone verification is almost ubiquitous now. Every streaming channel requires a phone verification. You just have to remember who’s phone you used. The same goes for mobile verification or biometrics like finger print and face recognition. Who’s phone gets the verification?  What if they are away?

If you’ve ever had a crypto currency wallet or account with an exchange, you will probably have a 12 – 16 word pass phrase. This is just 12 – 16 normal words in a particular order. Not too hard to remember, but not practical to carry around with you. And, you definitely wouldn’t want to store it online. They are not for day-to-day use, it’s a last resort if you forget your password. It’s not a bad idea, but there’s also been plenty of stories about lost fortunes due to lostaccess.


People will generally risk their security for convenience. E.g. ‘keep me logged in’. This is can work for your office or home computer, but it’s not a great idea for tablets, phones and laptops that can easily go astray. Facial recognition, however, goes a long way to solving this. Biometric security requires little to no effort and provides instant access. It’s also very difficult to hack. The office environment, however is still a challenge, particularly for software or devices that are used by multiple people.

Not all Data is Created Equal

Sometimes a login is only required to control billing, like for a game. The data isn’t private, but the app maker wants to make sure you are not using the game without paying. Banking apps, on the other hand, need to be absolutely secure. In those instances, we don’t mind a more convoluted login process. It actually makes us feel good about the app. It builds trust that our data is in good hands.

What’s Your Security Plan?

How do you manage your personal digital security? If you manage a business what systems do you have in place to manage security across the business? If you run an app or private site, does your security instil trust while not being too inconvenient. Your security measures should be proportional to the data you are protecting. There have been a lot of security breaches, particularly in Australia in the past 12 months, and there will be a lot more. Security is a pain, but being responsible at the center of a breach is a lot worse.