Sophia Lin
Security Researcher
Security and usability are often framed as a trade-off. More security means more friction, more steps, more cognitive load. Less friction means corners are cut, and the system is more vulnerable. This framing is not entirely wrong, but it has become a convenient excuse for building security products with terrible user experiences.
Every unnecessary step in an identity verification flow is a user who abandons and does not come back. In e-commerce, every additional authentication step reduces conversion. In enterprise security, burdensome authentication leads to employees sharing credentials, writing passwords on sticky notes, or finding workarounds that introduce the very vulnerabilities the security was meant to prevent.
The cost of bad UX is not just irritation. It is measurable business impact and, paradoxically, reduced security.
The best identity UX is invisible. When everything is working correctly — when the right person is accessing the right system in the right context — they should experience minimal friction. The system should recognize them and step out of the way.
The friction should appear only when something is genuinely anomalous — when there is a real reason to ask a user to prove themselves more thoroughly. This is risk-based authentication, and when done well, it dramatically reduces the average burden on legitimate users while increasing scrutiny on suspicious requests.
Be the first to start the discussion
Exploring how artificial intelligence is shaping the way we verify and protect our online identities.
How decentralized identity models are disrupting centralized authorization processes.
The industry has tried to kill passwords for twenty years. Passkeys might actually do it.