Secure design: how UX can support IT security in a bank application
When developing a banking application, we have to comply with so many regulations, directives, and technological requirements that it’s easy to overlook one crucial aspect. There are many experts to be involved: beyond the product manager, architects, developers, software tester and legal advisors, there are two important people in the team: the IT security professional and the UX designer. But what does the collaboration between design and IT security really mean?
Design: the first line of defense
"If the secure solution is not also the easy, convenient, or practical one, users will find a way to bypass controls for their own comfort or efficiency."— Miklós Zakar, Senior IT Security Expert, BinX Zrt.
Good UX design fosters intuitive and seamless interactions with digital systems, reducing the likelihood of user errors that can lead to security vulnerabilities. However, UX can’t prevent fraudulent app usage if IT security experts haven’t designed the system to be secure enough.
Mitigate risks
Secure usability is essential in ensuring that security measures are both effective and user-friendly. Overly complex or unclear mechanisms, such as password management or two-factor authentication, can lead users to bypass them by using weak passwords or ignoring warnings.
UX designers play a key role in making security features intuitive and accessible. Additionally, user awareness and education are crucial — a well-designed UI should communicate security risks, like phishing warnings, without overwhelming users or causing “security fatigue.”
Lastly, thoughtful UX design helps prevent errors that could compromise security, such as unintentionally changing privacy settings or sharing sensitive data, by guiding users toward safe interactions. Poorly designed interfaces can overwhelm users with security settings, leading them to make mistakes or, worse, ignore them altogether. If users are unsure whether a transaction is secure or a login page is legitimate, they are more likely to fall victim to phishing scams or fraudulent activity.
A well-designed UX mitigates these risks by implementing clear visual cues, structured workflows, and non-intrusive security prompts that educate rather than frustrate users. For example, banking applications can incorporate inline guidance to help users recognize suspicious activity, highlight secure default settings, and provide real-time feedback on potential security missteps. Consistency in design also plays a key role — when users become familiar with a bank’s interface patterns, they are more likely to notice anomalies.
Joint effort is necessary
For security policies and procedures to be effective, they must be accessible and easy to follow. When security measures are cumbersome, users may bypass them, increasing risk exposure. However, it’s important to mention that all IT security elements that do not absolutely require user involvement, must be built into the process in a fixed and unavoidable way — without the user even noticing! From this point on, it is no longer a design question.
User participation is necessary in the following cases:
1. Password – mandatory
a) Setup: users are required to create a strong, complex password. A common requirement is to use at least three of the four character types (lowercase, uppercase, numbers, special characters).
b) Reset: typically, a reset link is sent to the user’s registered email. This method is secure unless an attacker has also gained access to the user’s email account.
2. 2FA (Multi-Factor Authentication) – mandatory
Two-Factor Authentication (2FA) enhances security by requiring two types of verification: something you know (password/PIN), something you have (cellphone, personal computer), or something you are (biometrics). This prevents unauthorized access even if a password is compromised. Real life examples tell the best stories:
a) Unicredit Bank:
On PC: a security code sent via SMS to a separate channel (mobile) must be entered into the PC application.
For users of both PC and mobile apps: a One-Time Password (OTP) generated in the mobile app is required on the PC application.
In the mobile app: User authentication requires a combination of user ID, password, and an additional known element. On smartphones, the next level is using the phone’s biometric authentication system for identity verification.
b) MBH Bank (formerly Budapest Bank) & ERSTE Bank:
On PC: a security code sent via SMS to a separate channel (mobile) must be entered into the PC application. Higher security option: a QR code is generated on the PC screen, which the user scans with the mobile app to authenticate.
In the mobile app: the process is similar to Unicredit’s, becoming a standard approach in banking apps.
3. 3D Secure (3DS) approval
The 3D Secure protocol provides an additional layer of protection for e-commerce payments. To complete a transaction, the cardholder must confirm their identity by providing two of the following three factors: knowledge (something only the user knows), possession (something only the user possesses), and inherence (something the user **is**). The card networks provide the platform for this service, while banks integrate the verification interface into their applications and enhance their business and security processes.
“PSD2 introduced the SCA (Strong Customer Authentication) requirement, making it mandatory for banks to apply strong authentication to certain financial transactions. Strong authentication refers to multi-factor authentication (MFA), where a card is just one part of the process. Previously, card transactions did not require mandatory authentication. At the time of the new regulations’ introduction, purchase authentication relied solely on SMS OTP, known as 3DS. During that time, it was still debated whether the card itself could be recognized as a "knowledge" factor to ease the card credentials, but this was later rejected, requiring the SCA process to be supplemented with additional authentication factors. Later, 3DS underwent major enhancements, allowing for much richer message content, which led to a shift towards frictionless authentication processes that continue to improve today.”
— Kristóf Belucz, Head of Payment Cards Department, BinX Zrt.
4. Biometric authentication
A banking app uses biometric authentication (fingerprint or facial recognition) to enhance both security and user experience. Instead of manually entering a password or OTP for every login, users can securely access their accounts with a quick fingerprint scan or facial recognition. This approach reduces reliance on passwords, minimizes the risk of phishing, and ensures only the account holder can log in, even if their credentials are leaked.
Good UX makes security effortless by embedding it into workflows without disrupting efficiency. Clear guidance, intuitive alerts, and secure defaults help users comply naturally. For this to work, IT security and UX must collaborate from the start — not as separate advisors, but as core contributors shaping product requirements. IT security experts identify risks and compliance needs, while UX designers translate them into user-friendly experiences. Early collaboration enables usability testing and security workshops, ensuring policies align with human behavior. Security should be an invisible safeguard, not a user burden. By designing security to be intuitive, banking apps can enhance protection while maintaining a seamless user experience.
IT security: the (wannabe) invisible (but still effective) defense
Banks handle vast amounts of personal and transactional information, making them prime targets for cyberattacks, fraud, and data breaches. Strong authentication measures, such as multi-factor authentication and biometric verification, help prevent unauthorized access, while encryption safeguards data both in transit and at rest.
Secure design principles
Imagine securing a banking app — you wouldn’t rely on just one safeguard. You’d layer security features like encryption, two-factor authentication (2FA), where the UX designer has an important role. In case of fraud detection systems that aim to ensure that even if one defense fails, another is in place (Defense in depth), UX is not even a question, this should be invisible for the user. If a system error occurs, users are to be informed about the problem, they might be able to solve it, but if the problem impacts security measures, they should not be able to access it — everything should default to a secure state (Fail safe).
Employees and users should only have access to the data and functions necessary for their role, like a teller being able to process transactions but not approve loans (Least privilege). Here the UX designer’s role is to help in establishing an administrative platform where access levels can be set. If a large transfer is requested, requiring two approvals prevents fraud or accidental errors (Separation of duties), and the app should be designed simply so that security settings aren’t confusing or easy to misconfigure (Economy of mechanism). Every time a user logs in or makes a transfer, their credentials should be verified, not just assumed valid from a previous session (Complete mediation).
The app ensures security with unique encryption keys and MFA, making user credentials — not system secrecy — its safeguard. Even if attackers know the workflow, they can't bypass security without the user's key or credentials. (Open design). If customers and employees use different access levels, their authentication methods shouldn’t share unnecessary common functions (Least common mechanism). But if security measures are too frustrating — like requiring a multiple-step login process — users may disable 2FA or reuse weak passwords, creating vulnerabilities (Psychological acceptability)*. And no matter how strong the encryption is, if a customer service portal allows password resets with just a birthdate, that becomes the easiest way in (Weakest link). In a security system, there will always be a weakest link, even if we have successfully avoided all known vulnerabilities. This is why security audits and IT security tests are essential. And we should remain on edge until we find at least one. This is not a design question. Instead of building custom security features from scratch, banks should rely on well-tested, industry-standard security frameworks to avoid introducing unnecessary risks (Leveraging existing components).
Good security in banking apps isn’t just about strict policies — it’s about making protection seamless, intuitive, and resilient to real-world threats while keeping users both safe and engaged.
*Disclaimer: it’s important to declare that the strongest collaboration between IT security and UX design happens (or should happen) when it comes to psychological acceptability.
Teamwork for the win!
Without IT security involvement, UX designers may not fully understand or even recognize certain threats, making it difficult to create truly secure solutions. The primary goal is to protect users from security risks, which requires integrating security considerations into the design process from the start. When IT security collaborates with UX from the beginning of a project, designers gain a deeper awareness of potential vulnerabilities and can implement more effective safeguards, ensuring a seamless yet secure user experience.
Take, for example, a banking app that introduced a new “quick transfer” feature designed to let users send money with just a couple of taps. The UX team designed it for speed and convenience, but IT security quickly pointed out that without additional verification, it could be exploited if someone gained unauthorized access to a user’s phone. By working together, the teams found a balance — integrating biometric authentication before high-value transfers while keeping small transfers frictionless. This prevented potential fraud while maintaining the fast and user-friendly experience customers wanted.
It's also important to highlight the role of seamless and secure solutions in product aftercare. When security features are intuitive, fewer users need IT support for tasks like password resets or account recovery. This not only improves security, but also helps reduce operational costs for businesses. A well-designed password recovery system, for example, can guide users through secure verification steps without them needing to call customer support — saving time for both customers and the company.
Enhance collaboration
To create a secure and user-friendly digital environment, UX designers and IT security professionals must work together. Here’s how collaboration can be fostered:
Workshops: security teams can educate UX designers on potential threats, while UX professionals can demonstrate how usability impacts security adherence. Regular workshops ensure both teams remain aligned.
Testing: traditional penetration testing should be complemented with usability testing of security features. Gathering user feedback helps refine security implementations for better adoption.
Design thinking: by incorporating design thinking methodologies, security professionals can work with UX teams to create solutions that are both secure and user-friendly, ensuring security measures enhance rather than hinder the user experience.
Conclusion
UX design and IT security must go hand in hand to create a safe digital experience. Poor UX can lead to security vulnerabilities by encouraging risky behavior, while well-designed interfaces can help prevent breaches by making security seamless and intuitive. However, it is important to note that UX design can only address a small fraction of potential security issues, as most stem from OS vulnerabilities or poorly designed architectures. Therefore, design should not take on more responsibility than necessary.
In a banking application, UX design plays a supporting role in security planning. The designer acts as the user’s advocate, ensuring clarity and usability, but cannot make security-critical decisions.
By integrating UX considerations into the secure development process and fostering collaboration between security professionals and UX designers, organizations can ensure both strong security and excellent user experiences. In the end, security is only as strong as its usability.
