On a recent webinar, an attendee asked how we should talk to our end-users about passwordless authentication. My answer: don’t.
Look to Doug Dietz to understand why. Dietz is the principal design thinker at GE Healthcare. The book Creative Confidence featured his work on MRIs for children. Originally, the MRI was a technologist’s technology. This meant it scared the kids, often to the point of them needing sedation. Dietz realized this and redesigned the MRI as an experience attractive to kids. The key insight was empathy. To paraphrase Dietz’s TED talk, “Empathy at the beginning sets the heartbeat of the project. When you move forward into the iteration and prototyping and some of the design phases you go through, you need to refocus and see what the empathy was that got you started.”
We don’t talk to kids about the MRI. We talk to them about the jungle experience. We don’t talk to end-users about passwordless. We talk to them about a more enjoyable work experience.
When designing security, we start with the vision, the business capabilities, and the business outcomes. We begin with empathy and then, as Dietz put it, let empathy be the heartbeat through the design process. Don’t do this, and we end up with the equivalent of the MRI machine. That is, security which people avoid and workaround. Possibly security that will have people wanting to be sedated. Good design creates security experiences that people adopt and, in rare but exciting cases, actually enjoy.
Empathy is incredibly hard. Seeing the world through someone else’s eyes always is. It is doing the hard things that elevates design.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
Posted by