UX and security, so often traded off against each other. Can't we have both?

In this day and age of frequent large scale data breaches and compromising of passwords, security is rightly being talked about more.

Unfortunately, this is often at the expense of user experience. Can't we have both?

The simple answer is no, but the longer answer is a more complicated yes and no.

As with most things it boils down to context. Context that's specific to the requirements of the individual.

A verified Twitter user with millions of followers will want to lock down their account, changing their password regularly and have 2FA enabled.

On the other hand, someone who doesn't Tweet often, isn't a target for hackers and doesn't care too much about someone pinching their account, may well favour the usability angle of not having to fuck about with authentication codes for every sign-in.

Where possible, companies should evaluate the risk to its users of a breach and shape their login policies accordingly.

For example, to login to Tesco's Clubcard site requires you to have the card on hand and enter some of its digits as a primitive form of 2FA. All that just to see how many points/vouchers you have.

On the flip side there are sites out there that store payment authentication and you can log straight in with a low entropy password and order products.

There are also some frankly horrible examples of UX. The place I order my coffee from has a bizarre approach to passwords, whereby they strip out special characters (generated by LastPass in my case) without telling the user. The first time you know something is wrong is when you can't login. With the password that LastPass generated. Clearly, it's been typed correctly, because it was saved when LastPass generated it - there's zero margin for error there. So you wonder what's afoot. In my case it took another password reset and the same thing happening to cotton on. I manually removed the special characters from the stored LastPass password and was able to login.

It's bad enough limiting the character set and length of passwords as so many places do, but to not even tell the user is horrific and the developer that did that should have their IDE license revoked. (If they're even using an IDE, which is unlikely.)

Security is important. Enormously so. User experience is too. We can have both, it's just quantities of each one that need to be appropriate for the use case.