Secure by design: a UX toolkit

Have you considered what it means to build products with a security-first mindset? Pop culture depicts hackers as hoodie-wearing, code-writing savants racing against the clock to break into systems on matrix like screens. While this scenario does occur, the majority of hacks are the result of people unintentionally letting threat actors access their information via different tactics like phishing scams or misconfigured security settings.

All product makers need to understand the role of UX as part of a robust security strategy. User experience is part of a balanced system where security, functionality, and usability are integrated to meet both user needs and technical requirements. By prioritizing user experience, we can:

• Reduce the risk of user-targeted attacks like phishing and malware by designing and building in secure interactions.

• Enhance user trust and adoption by making security features intuitive and non-intrusive.

• Minimize human errors by designing interfaces that clearly indicate secure actions and warnings.

This is a distinct approach to product development; defending against attacks was historically the sole responsibility of security experts or specialized engineering groups. As such, we need new tools and processes to help all product makers craft inherently secure user experiences. We’re excited to share Secure by Design: a UX toolkit, a key first step to solve for this need.

Stemming from Microsoft’s broader Secure Future Initiative (SFI), a comprehensive call to embed security into everything we build, the toolkit is aligned with SFI’s principles of Secure by Design, Secure by Default, and Secure Operations. It includes best practices, conversation cards, and workshop tools to help you anticipate threats, reduce user friction, and make security intuitive, ensuring security isn’t just a feature, but foundational to every user experience.

Understanding the landscape: Threats and threat actors

To contextualize the toolkit, it’s important to fully grasp the complexity and gravity of the terrain. Cybersecurity practices protect systems, networks, and programs from digital attacks aimed at stealing or destroying sensitive information, extorting money, or disrupting business processes. Attacks are carried out by threat actors; these adversaries exploit weaknesses in products to endanger unsuspecting users.

– Microsoft Security Researcher, September 2024

Security threats aren’t new or unique and UX is an often overlooked and critical piece of defending against threat actors.

The user problems of threat actors

To defend against threats effectively, it’s critical to understand the objectives and approaches that typical threat actors adopt. In the same way that an information worker might create workarounds to accomplish a goal efficiently, a threat actor is constantly searching for the simplest way to break the system and achieve their objective. And UI is a surface for threat actors to exploit.

Fortunately, UI is also a first line of support to mitigate issues, such as communicating account recovery protocols when a user has been locked out. By understanding these tactics, we can better anticipate potential risks and implement measures to mitigate them.

Here are a few examples of threat actor tactics for user experience:

These examples challenge us to explore and understand common UX threat actor tactics and model the same level of creativity to fight against them. It is no longer sufficient to create user journeys alone, we must also explore the journeys of threat actors based on their motivations and tactics. Scrutinizing our products from that perspective can help us to stop problems before they reach our users. Golden paths are a common UX practice; now we must consider another user, the bad actor, who wants to exploit the golden path.

By understanding how different user groups interact with our products, we can adapt UX to support security measures that are matched to rapidly evolving behaviors and system interactions from our users and their potential attackers.

A security example with UX learnings

One of our cultural tenets at Microsoft is embracing a growth mindset. No product or product maker is perfect and when issues arise, it’s paramount to explore how and why something happened and use that insight to catalyze collective change. A past issue with Teams, for example, offers tangible and valuable lessons for all product makers. We’ve seen threat actors mimic legitimate Teams communications to trick users into providing credentials or clicking on malicious links. They then used stolen credentials and compromised accounts to infiltrate systems and steal data, with phishing messages crafted to look highly convincing.

This highlights the importance of a systemic approach; you need to reduce user exposure to attacks by addressing vulnerabilities throughout the system and design UI that empowers users to recognize and mitigate these threats when they may occur. From a UX perspective, our security prompts and warnings were not prominent or clear enough to deter users from interacting with suspicious content.

In turn, we needed to respond with an array of design initiatives: better visualization of potential threats, clearer warnings, and user education mechanisms to improve phishing detection and response. At Ignite 2024, Teams released new interaction patterns to warn users about deceptive communications and outreach they might encounter from external sources. This included exposing fake users’ emails to reveal their true identity. An ongoing effort, Teams continues to focus on this and other critical facets of secure experiences.

From confusing interfaces to inadequate user education and misleading design elements, this example helps us understand that UX implemented without proper security can be a potential avenue for attacks.

Guidelines and practices: Making your user experiences secure by design

Now that you understand how UX can create more secure and empowered user experiences, let’s explore the toolkit itself. This guidance is the result of hundreds of hours of research, from humbling conversations with security specialists to learning from industry frameworks from expert organizations like CISA and NIST. After testing it with twenty product teams at Microsoft, we released it to all Microsoft employees in November 2024. Much as we did with the Inclusive Design movement, our aim is to create a starting point for meaningful change and to help anyone spark conversations—within and beyond Microsoft.

To help catalyze that, we’ve curated a robust selection of our fuller internal Secure by Design: UX Toolkit. It is anchored around two core guidelines, each with a corresponding set of best practices, conversation cards, and workshop tools to facilitate conversation. These are:

1) Incorporate security into every stage of product development. This guideline focuses on how to add security to UX planning, strategy, and tactical efforts. The best practices it applies to include security objectives and measures of success, threat modeling, usability testing, design sprints and reviews, and architecture reviews.

2) Build and ship secure, intuitive UX. The best practices this guideline focuses on are protecting identity and safeguarding access, using data to improve security, making default options secure, and providing ongoing user communication.

Within Microsoft, we’ve been steadily driving toolkit adoption through targeted coaching, training, cultural change, and embedding best practices into product development processes. By leveraging this work, here are some examples of process changes we’ve seen during product development:

• Setting measurable user success objectives on UX security-related tasks.

• Evaluating key security interactions like login, account recovery, or permission granting for points where threat actors might exploit common user behavior or assumptions.

• Scheduling audits of threat scenarios to assess emerging risks in user journeys, especially when new features are introduced.

• Testing how users perform essential security actions, like managing permissions or changing passwords without confusion or heavy cognitive load.

• Including security checkpoints in design and architecture reviews to evaluate all features for vulnerabilities and ensure a net-positive user experience. Outlining where security tasks may create friction and identify opportunities to simplify or educate.

As you begin applying this guidance to your own work, we’d love to learn from you as well. As a continuously evolving effort, we know there is still much work to do and we’re eager to improve in partnership with the community.

It’s all about growth mindset and trust

Meaningful change requires a deep level of engagement and reflection, and we’re challenging product makers to uplevel our growth mindset, security, and critical thinking skills. Not all of the work will be new or relevant to all, and our hope is that you can leverage what is useful for you.

Security and trust go hand in hand. Secure by Design: UX is about turning that trust into action, giving product makers tools to embed security into every user experience. Born out of SFI and aligned with the principle of Secure by Design, this work ensures security isn’t just considered but intentionally designed from the start. By integrating security into the UX process, we aim to create products that are both intuitive and resilient by default, advancing our shared commitment to a more secure future. Get started with our toolkit here.

I am grateful to the entire extended team at Microsoft for their contributions to this effort. Special thanks to Joel Williams, Venita Subramanian, Jeff Matarrese, and Amy Keeney for leading the way.