Digital

ScotAccount – Usability by design and default

August 2, 2024 by No Comments | Category Digital Identity, Digital Scotland, ScotAccount

Laurie Brown, Digital Information Security Officer, provides strategic information security direction, assurance, and governance across a number of Scottish Government digital public services including the work to introduce ScotAccount.

ScotAccount is the secure and simple way to access public services online.

It makes accessing services easier because you can use one account to sign in to a variety of services. You can also verify your identity, if necessary, and choose to save your verified personal information in your ScotAccount, so you can use it again when applying for other public services.  

Our approach towards security
In my original blog, I introduced you to the three principles I use to embed security in service design. Following on from my second blog ‘Privacy by design and default’ and third blog ‘Security by design and default’, I now share more detail on the final of those three principles – ‘Usability by design and default’. 

In my previous blog on security by design and default, I mentioned that through effective risk management, security governance and assurance, we’re well placed to ensure there exists a good balance of making ScotAccount secure and efficient, without breaking it or making it unusable. This helps provide stakeholder confidence that the security programme is visibly and verifiably operating to the stated security objectives and meets the principles of an ethical digital nation. 

I want to focus this final blog on how we keep the needs of our users uppermost, to ensure the service is as accessible and easy to use as possible, thus providing an excellent user experience. 

This sounds easier than it is, but to achieve the most valuable design, requires a delicate balance at times to ensure the security programme does not hinder the usability of a service. 

As an example, under the Web Content Accessibility Guidelines (WCAG), it is recommended that after a period of 20 hours where there is no user action with an online web page, it is reasonable to timeout that session, logging the user out with possible loss of data. At the other end of the scale, the Open Worldwide Application Security Project (OWASP) recommends a timeout of 15-30 minutes, reducing to 2-5 minutes for high-value services. Clearly, there needs to be a balance agreed here to ensure the service is usable, accessible, and digitally inclusive, but which also ensures the service is secure and efficient. 

In addition to balancing specific technical aspects such as timeouts, more fundamental product features also require careful planning around privacy, security and usability by design and default. It’s not helpful to talk about trade-offs between usability and security, but to consider if a product needs to be used in a particular way for it to be secure, therefore at times it is arguable that security depends on usability.      

An example of this would be authentication, where a username and password are commonly used to log into a service such as ScotAccount.   

ScotAccount supports the use of long and unusual passwords. This helps mitigate the risk of password compromise from attacks such as password spraying. This is where a criminal will use a list of commonly used passwords to acquire login credentials or credential stuffing where they will use credentials obtained from other attacks in the likely event someone has used the same password across several online services. Incidentally, services such as “have I been pwned can help you determine if your email address and password have been stolen in known data breaches from around the world. I would recommend checking your email address against this site and changing passwords and/or email address if you feature on the list. 

However, if passwords are forced to be long, complex and hard-to-guess, people will likely write them down or reuse passwords from other services. Security has therefore affected usability and almost certainly made the user’s account less secure. Whilst I think ScotAccount has found a good balance regarding passwords, perhaps not having passwords at all would be even better. This is something ScotAccount will be exploring as part of our continuous improvement of the service. 

For now though, there are several other methods available to help protect authentication, and ScotAccount currently offers multi-factor authentication, also called 2-step verification as one example of this.   

Multi-factor authentication is an excellent example of where the ScotAccount security programme chose not to trade-off usability and security.   

Online statistics suggest that 13% of adults do NOT own a smartphone, increasing to 31% of people over 65 years of age. Therefore, it was felt from a product roadmap perspective that offering multi-factor authentication over text message to mobile phone and over voice message to landline phone would reach a wider audience than an authenticator app on a smartphone despite text message in particular being less secure, when ScotAccount first launched.  As part of continuous improvement, ScotAccount will further extend multi-factor authentication support to include the option of an authenticator app. 

Digital inclusion 

Even within this usability by design and default principle, there is always room for improvement. As highlighted by Shahid Khan in his blog on digital mindsets, 19% of people in Scotland do not have confident digital skills. There will be other barriers to using ScotAccount including lack of access to technology, lack of confidence and lack of trust. Exciting initiatives like our CivTech challenge to explore vouching as a way to strengthening identity verification will definitely help break down some of those barriers. 

Tackling those barriers, ensuring we remain clear, open, and honest about how ScotAccount is operating is vital. Continuing to meet the principles of an ethical digital nation, and supporting the work of the Scottish Government Digital Citizen Unit to ensure no one is left behind will be crucial in maintaining the levels of trust and confidence required for us all to thrive in a digital world. 

Closing remarks 

I hope this series of blogs has offered a little insight into how the principles of privacy, security and usability by design and default are each being approached, and how the integration of these can support the most valuable design. Hopefully, they also go some way to demonstrating how ScotAccount is striving to meet people’s expectations of how they want to interact with government, securely and in a manner which protects their privacy. 

There is a strong sociotechnical aspect underpinning these principles. The National Cyber Security Centre is funding the Research Institute for Sociotechnical Cyber Security and I follow its research work across the various themes with interest in order to challenge my privacy, security and usability by design and default principles, to help ensure ScotAccount and all the other digital public services I support are benefitting from them. 

How to contact the team 

You can subscribe to the  Scottish Government Digital Scotland newsletter  for regular updates on ScotAccount and other digital projects.  

If you work for a public service organisation and are interested in finding out more about ScotAccount, or to access our test environment, you can get in touch with the team by emailing: scotaccount@gov.scot 


Tags: , , ,

Comments

Leave a comment

By submitting a comment, you understand it may be published on this public website. Please read our privacy policy to see how the Scottish Government handles your information.

Your email address will not be published. Required fields are marked *