Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Security Experience Principles

Login.gov is a human-centered design product and service with a specific focus on creating an optimal security experience for the public.

Our team leverages the following principles to guide us to create the best security product for the public.

We also leverage the U.S. Web Design System’s design principles to guide our work. You can read more about those on their website.

Security experience is everyone’s job.

Creating a secure, usable experience is a priority for everyone at Login.gov. We are all responsible for maintaining the integrity of our products and services. We prioritize protecting the public’s data in sync with our practice of continuously improving our product. As users use Login.gov, we should ensure their security awareness is raised. We want to affect users to keep their entire digital presence secure, not just their Login.gov presence. You can read more about Login.gov’s security and privacy best practices here.

Key considerations

  • Will a change to the visual design or content of our product impact the users’ understanding of the security of the product?
  • What are we doing to keep track of the security implications for any changes made to Login.gov?
  • What are we doing to continue the practice of keeping our data private?
  • Are users given options to show/hide sensitive data?
  • Will a change to visual design or content require storing new data via the server or the browser?
  • Does this change share new data not previously shared? Or share that data with a new audience?
  • Will error states or displayed messages reveal too much information and create a security risk?

The public controls their data, not us.

Users are in control of their data. We prioritize user privacy and do not profit from sharing user data. Personally Identifiable Information (PII) is only shared as needed and all sensitive data is encrypted. Our encryption methods are like putting data in a safety deposit box and only users have the key. Users have the ability to share or hide sensitive information, give or revoke consent to share that data or delete that data at any time.

Key considerations

  • Are users aware of what data they are sharing, who they are sharing it with and how it is used?
  • Is language around consent for sharing their data written in plain language and accessible?
  • Does the public understand that they have the right to revoke consent of the sharing of their data?

Simple, secure login for everyone.

Using our product is simple and secure. Whether users interact with our product once or multiple times a day, their experience with Login.gov will be seamless. Design and content facilitates ease of use and allows users to focus on the task they are trying to complete with our partner agencies.

Key considerations

  • Is our design and content helping or hindering users from completing the task at hand?
  • Are we consistently testing our designs and content with the public?
  • Are we looking for things to remove or streamline to help users quickly get on their way to the partner site?
  • Are we guiding users with low security awareness towards the most secure options?