Making security usable

01

“Remember me”, “Keep me signed in”, and “Remember this device” aren’t the same thing

Three controls, not three names for one: remember an email, hold a session, or skip MFA. Label each precisely and never default the risky ones on.

02

Don’t forget to design step-up authentication

A logged-in session proves someone signed in once, not that the person acting now is the owner. Ask for fresh proof of identity at sensitive actions.

03

On-screen keyboards: real keylogger protection or a rudiment?

Built to defeat keyloggers, on-screen keyboards are bypassed by modern malware and fight against autofill. Passkeys and password managers do the job now.

04

Is the “last used” login method indicator safe?

A “last used” badge is good UX and safe while the hint lives on the device — but a security problem the moment it’s derived server-side from an entered email.

05

You should warn users before redesigning your login page

A sudden login redesign looks like phishing to security-aware users. A short announcement before and after launch turns it from a threat into an upgrade.

06

The password rule 9 out of 10 apps forget

Prevent users from using their email or commonly used passwords. Show it upfront in a checklist, validate in real-time.

07

How to design soft password lockout correctly

Warn users before the final failed attempt, explain what will happen next, show a real countdown timer, and always provide a recovery path through password reset.

08

Password reset flows are missing one critical UX aspect

Reset flows should clearly communicate what happens to existing sessions. If they don’t, users are left unsure whether they’ve actually regained control of their account.