Cybersecurity threats, such as phishing (fraudulent emails or messages), vishing (voice-based phishing attacks) and baiting (offering products for “free“ to trick users into downloading malware), are spreading and evolving faster than organisations can react.
In this case, Zero-Trust UX is needed. According to Caleb Uzuegbunam, Head of Design at Kenley, this approach bridges the gap between strict security frameworks and the everyday user experience.
Zero-Trust’s philosophy
Zero-Trust is usually called a network security model: “Never trust, always verify”. However, the expert suggests that this philosophy should also consider the role of users. “A flawed authentication or permission control can do more harm than good. Users will likely bypass it, which damages the trust in the product”, he explains.
The friction paradox
Fully embracing the Zero-Trust philosophy is not always straightforward. Caleb points to the “friction paradox” in security UX: “Accessing the product shouldn’t be too easy or too difficult – the first is insecure, and the latter is annoying. Finding the right balance between security and user experience is necessary”, he says.
For instance, embedding a complex multi-step authentication verification might seem safe. However, there is an issue: this high difficulty level can also lead to risky behaviours, such as saving credentials in insecure notes for faster access. Conversely, configuring only a simple biometric login without any step-up authentication in precarious situations may leave an entry point open.
Principles of Zero-Trust UX design
Based on significant experience in creating secure systems for organisations, Caleb outlines his main guiding principles:
- “Don’t ask for more than is needed”. If a user’s device, location, and behaviour are consistent with the past actions, allow low-friction access. Only if something changes (such as a new device or unexpected geolocation), set up more advanced verification.
- “Explain why an extra verification is needed”. Users will comply with multi-layered authentication if they understand the reason. Therefore, it is more beneficial to surface a message such as “We noticed a login attempt from a new location” rather than a mere “Verification required.”
- “Use your brand’s tone and visuals”. Security touchpoints are an integral part of your product’s design, and a generic warning screen might feel out of place in the rest of the experience. Instead, maintain your style even in the most serious verification steps.
- “Give users a choice“. Offer verification through multiple secure channels, such as app push notifications, hardware tokens, or biometrics, so that they can choose their most convenient secure method.
- “Minimise cognitive load”. This implies avoiding jargon and indicating the progress of authentication (for example, displaying the remaining steps). Users feel in control if they understand what is happening and what is next.
Keeping security human-friendly
Zero-Trust policies can sound rigid. Nevertheless, Caleb highlights that human factors are the priority. “Imagine the authentication process guiding you through a stressful moment. Every measure needs to be tested for user comprehension”.
To make authentication human-friendly, the expert suggested using friendly confirmations after the process (“You’re all set – your account is now secure!”) and providing clear fallback options if a method fails (biometric authentication fails – showing the message “Use password instead”).
Brand association
Some companies see security as a compliance checkbox. However, Caleb believes a well-thought-out Zero-Trust design strategy can improve brand image: “They will associate the brand with safety and care, which is especially important in fintech, healthcare, and enterprise SaaS”.
For example, Wise creates an authentication flow with user convenience as the priority. The mobile version enables quick access through biometric authentication. The app also minimises friction through auto-lock by allowing passcode or biometric unlock instead of prompting passwords. Finally, Wise provides different fallback options, such as email, password, or alternative 2SV methods when needed.
Integrating resilience into the development cycle
Zero-Trust is a framework that needs to be integrated into the product lifecycle to align security requirements with the design decisions. “Collaboration between security engineers and UX designers is very beneficial when planning the product,” the expert points out.
To accomplish successful integration, Caleb suggested stress-testing flows to mitigate potential user confusion, tracking completion rates of multi-factor authentication (MFA) flows, and adjusting them as user behaviour changes or new types of threats emerge. For example, AI-related ones are on the rise, hence organisations should adapt their authentication processes to address these evolving risks.
Due to the rise of generative AI, new attack vectors are surfacing from prompt injection to data leakage through model interactions. Caleb stresses that Zero-Trust UX patterns are equally critical in AI-powered systems. For instance, enterprise AI tools should not only authenticate user access but also contextualize permissions and limit what sensitive data an AI system can surface or generate based on the user’s verified role. Just as with traditional flows, transparency matters: surfacing clear explanations such as “This data is restricted due to compliance policies can prevent misuse while maintaining user trust. Integrating these principles ensures that AI adoption in enterprises does not outpace the safeguards that keep them resilient.
Conclusion
Resilience today means creating systems and experiences that make hacker attacks harder in the first place, without alienating the people for whom those systems are built. “Zero-Trust is about trusting the process you’ve built, knowing it works under pressure and still feels like your product,” Caleb concluded.
