Password managers are a special category of software. In contrast to regular applications, users always work on two tracks at the same time: on the one hand, there is the password manager, and on the other, the application in which they want to log in. The fact that applications vary a lot from each other, and look visually different from a password manager, makes things even more complex.

UX as a response to unnecessary complexity

Bas became involved with MindYourPass when the product was still in its early stages. Initially, he was hired to develop training courses. Early on, however, he noticed that many user questions, errors, and frustrations came not so much from a lack of explanation, but from the user experience of the product itself. Because Bas had also designed user interfaces at an earlier stage in his career, he was asked to look at the product from that combined perspective, trainer and UX designer.

‍

The product worked technically well at the time, but the user experience was unnecessarily complex. For example, too many functionalities were offered at the same time and actions were not always logically positioned in the flow. Because the use of a password manager is already complex by definition, it is important that the password manager interface does not add extra cognitive load and guides users through the right steps at the right time. The UX approach therefore initially focused not on making the interface intuitive, but on removing everything that was not intuitive in the flow as much as possible, Bas explains.

Competence as key to safe behavior

The failure of security is rarely due to user reluctance, says Bas. In most organizations, people want to work safely, but are stuck on complexity, time pressure and unclear tooling. Password managers are often technically functional, but do not match how people actually work. Especially when the mental burden is already high, users are confronted with extra steps, choices and warnings. This does not lead to safer behavior, but to frustration and ultimately to workarounds: exactly the risk that is removed by MindYourPass.

‍

A central factor in safe behavior is the sense of competence, says Bas. “People need to feel that they know what they're doing and that they can't make mistakes at the expense of safety.” As soon as that feeling is missing, uncertainty occurs. Uncertainty leads to avoidance, half understanding and the search for faster but more unsafe solutions. “I see this every day in training and user research. When people feel stupid about a security solution, they drop out demotivated, and that's risky when using a password manager. Maintaining safe behavior is only possible if users experience that they have the situation under control.”

User-friendliness is a fundamental prerequisite

Many organizations invest in explanations, training and awareness campaigns. That is useful, but it is not enough. People forget instructions and make mistakes under pressure, and a good password manager should anticipate that, says Bas. “You can't expect all users to understand security. This is where solutions designed so that safe behavior is the easiest and only option. User-friendliness is not an extra layer on top of security, but a fundamental prerequisite for policy to work in practice.”

‍

In addition, secure password use within organizations should ultimately be made mandatory, says Bas. That sounds strict, but enforcement does not have to lead to frustration. On the contrary, if the tooling is properly arranged, it actually gives users peace of mind. They no longer have to think about what is allowed or what is not allowed. The system must serve this purpose. The prerequisite is that the solution is reliable, predictable and learnable.

‍

In addition to technology and design, the organizational context also plays a major role. That's why MindYourPass works with ambassadors within organizations: superusers who help colleagues, answer questions and identify where people get stuck. The success of adoption depends heavily on this role. Remarkably, these are not always the people with the toughest IT background, says Bas. They are often pragmatic, curious users who don't give up easily, like to figure out how something works and communicate easily in the workplace. They form the bridge between technology and daily practice.

Safe behavior should feel effortless

The core of Bas's vision is that security only works when people don't have to think about it all the time. A good password manager makes safe behavior natural by removing uncertainty, preventing errors and serving the end user and the organization. User-friendliness and enforceability are not opposites, but reinforce each other. If you want security to work in practice, you need to design for the human brain, taking into account a variety of user scenarios and personas.

‍