Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Security experience

Understanding our security experience principles is a human-centered design product and service with a specific focus on creating an optimal security experience for the public.

Our team leverages the following principles to guide us to create the best security product for the public.

We also leverage the U.S. Web Design System’s design principles to guide our work.

Security experience is everyone’s job

Creating a secure, usable experience is a priority for everyone at We are all responsible for maintaining the integrity of our products and services. We prioritize protecting the public’s data in sync with our practice of continuously improving our product. As users use, we should ensure their security awareness is raised. We want to affect users to keep their entire digital presence secure, not just their presence. You can read more about our security and privacy practices.

Key considerations

  • Will a change to the visual design or content of our product impact the users’ understanding of the security of the product?
  • What are we doing to keep track of the security implications for any changes made to
  • What are we doing to continue the practice of keeping our data private?
  • Are users given options to show/hide sensitive data?
  • Will a change to visual design or content require storing new data via the server or the browser?
  • Does this change share new data not previously shared? Or share that data with a new audience?
  • Will error states or displayed messages reveal too much information and create a security risk?

The public controls their data, not us.

Users are in control of their data. We prioritize user privacy and do not profit from sharing user data. Personally Identifiable Information (PII) is only shared as needed and all sensitive data is encrypted. Our encryption methods are like putting data in a safety deposit box and only users have the key. Users have the ability to share or hide sensitive information, give or revoke consent to share that data or delete that data at any time.

Key considerations

  • Are users aware of what data they are sharing, who they are sharing it with and how it is used?
  • Is language around consent for sharing their data written in plain language and accessible?
  • Does the public understand that they have the right to revoke consent of the sharing of their data?

Simple, secure login for everyone.

Using our product is simple and secure. Whether users interact with our product once or multiple times a day, their experience with will be seamless. Design and content facilitates ease of use and allows users to focus on the task they are trying to complete with our partner agencies.

Key considerations

  • Is our design and content helping or hindering users from completing the task at hand?
  • Are we consistently testing our designs and content with the public?
  • Are we looking for things to remove or streamline to help users quickly get on their way to the partner site?
  • Are we guiding users with low security awareness towards the most secure options?