A really interesting article from Abhishek Jain about certain issues with security features on digital services. He points out that some small fragments like "show password" have a big impact on the experience on security. So before you should start to designing security systems have this in mind:
Understand the user context for the product through research
(This includes the frequency of use )
Use cognitive principles to make the usage of security features less painful. So users won't try to avoid them.