Problem: Security risks around user accounts and passwords were surfaced for all Business Journals sites, requiring preemptive action to be taken to mitigate risk with little impact to the current user experience. 

Goal: Update site security per legal obligations, while improving user experience by reducing added friction to the ‘Sign in’ and ‘Create an account’ flows and making it clear to the user that our site cares about their security.

Research:

Guiding principles to keep front of mind:

1. A good user experience
2. Actual user security
3. Making the user feel secure
4. Limiting added friction that would either:

‘Create an account’ flow: reduce the likelihood of the user completing account creation

‘Sign in’ flow: cause the user to become frustrated with the sign in process and resort to calling customer service or abandoning their task

Guidelines from research and competitive analysis:

• Make the constraints clear to the user to avoid the need to use error messaging, but use clear error messaging when necessary so the user knows why the password is not adequate
• Use a maximum of 3 constraints for the user
  • 8+ characters, include special characters, numbers, upper/lower case, etc.
• Show completion of constraints in real time
• Show strength meter
  • Consider disallowing “weak” passwords altogether as a constraint
• Use show/hide password in lieu of ‘Confirm password’ field
• Allow for long passwords (60+ characters)
• Shouldn’t ask the user to type any info twice
• Good user experience to include 3rd party options for account creation (email, social media, etc), but possibly less secure?

NIST Guidelines:

• Focus on having a longer min
• Check password against dictionary of known bad choices
• No need to have users change passwords arbitrarily as this doesn’t add to the security of their account

‘Sign in’ flow:

Final legal constraints being implemented:

1. Rate limiting: user may only attempt to sign in 3 times before their account is locked for 10 minutes
2. User may still reset password and sign in if locked out of account

Plan of Action:

1. Provide clear error messaging when the user enters an incorrect password and what the user needs to do to sign in
2. Make the user aware of the number of attempts they have before their account is locked for 10 minutes

Usability Testing: 5 general users (unmoderated prototype usability test, testing language and clarity)

Questions to answer: 

1. Do users understand rate limiting?
2. Are the messages clear or will users be confused about why they’re getting locked out of their accounts?
3. Is it clear what the next steps are if a user is locked out of their account?
4. How do users perceive rate limiting in regards to security?

Top takeaways:

• People understand rate limiting and seem to be familiar with the concept. They associate it with keeping hackers out of their account.
• Limiting sign in attempts makes users feel like their account and information is being properly secured.
• Users expect to be able to sign into their account right away after resetting their password. One user said, “The security of going through my email to reset my password should negate the 10 min delay.”
• “I appreciate added security measures that keep my account from being broken into.” (User was asked for any additional thoughts or comments about rate limiting.)