Affordances in Software Engineering
Module 4 of 6 Intermediate 40 min

Anti-Affordances and Designed Friction

Prerequisites: affordance-theory-for-engineers, code-as-communication, system-architecture-affordances

What You'll Learn

Why This Matters

Most engineers arrive at interface design with one dominant instinct: remove friction. Make the API simpler. Add the convenient shortcut. Eliminate the extra parameter. This instinct is right about some friction, and catastrophically wrong about other friction.

When friction is unproductive — when it imposes cognitive overhead without offering safety in return — eliminating it is correct. But some friction is load-bearing. It prevents a class of bugs, signals an incorrect usage pattern at compile time, or makes dangerous actions require deliberate intent rather than accident. Remove that friction and you have not improved the interface; you have made it easier to fail.

This module gives you a framework for telling the difference. By the end, you will be able to look at any interface constraint and ask a precise question: Is this friction protecting against a real failure mode, or is it just overhead? The answer determines whether you preserve it, redesign it, or remove it.

Core Concept

Anti-Affordances Are Authored, Not Accumulated

An anti-affordance is an intentional design choice that prevents or makes undesirable actions difficult. The keyword is intentional. Anti-affordances are deliberate; they are authored by a designer who decided that a specific action should be hard, impossible, or explicitly guided toward alternatives.

This is worth stating precisely because the term could be confused with a different phenomenon: affordance degradation, the unintentional erosion of an affordance over time. When an API that once communicated its intended use clearly becomes confusing due to convention drift or documentation rot, that is not an anti-affordance — it is affordance degradation producing unproductive friction as a side effect. The shared contract captures this distinction in a single phrase: anti-affordances are authored; affordance degradation is accumulated.

Every time you see a constraint that makes something hard to do, ask whether it was designed that way. If yes, you are looking at an anti-affordance. If the hardness arose through neglect, drift, or time, you are looking at affordance degradation. These require opposite responses. Anti-affordances should be understood and potentially preserved. Affordance degradation should be diagnosed and repaired.

The Pit of Success

The "pit of success" principle, articulated by Rico Mariani at Microsoft, inverts the usual design frame. Instead of asking "How can I make the correct path easier?", it asks "How do I design so that engineers fall into the correct path without effort, while the wrong path requires deliberate work to reach?"

A pit of success design has three properties:

In practice, pit of success design is implemented through three mechanisms that you've seen in prior modules. Physical constraints — enforced by language or runtime — make incorrect usage a compile-time or type error. Logical constraints — enforced by protocols and API contracts — require explicit parameters or authorization before actions can proceed. Cultural constraints — enforced by team conventions and tooling — make incorrect usage socially visible through code review, linter warnings, or deprecation signals.

Norman's Three Forcing Functions

Don Norman identifies three types of forcing functions — design mechanisms that constrain behavior to prevent incorrect sequences or dangerous actions. These translate directly to software:

Interlocks enforce sequence. An action cannot proceed until a prerequisite action is complete. In software: a method that requires an authorization token before a mutation can happen; a CI pipeline that requires tests to pass before a merge is permitted; a transaction scope that must be opened before data can be written.

Lock-ins prevent premature exit from a state. In software: a database transaction that holds a lock until explicitly committed or rolled back; a builder pattern that requires a terminal build() call before producing an object; a compiler that rejects code with an open resource that has not been closed.

Lockouts prevent access to certain states entirely. In software: a permission-scoped method that only exists on an elevated credential object; an immutable return type that provides no mutation methods whatsoever; a type union that makes an invalid state unrepresentable.

Each of these is a form of productive friction: resistance that guides engineers toward correct usage. The friction is not incidental — it is the mechanism through which the design communicates "you must do X before Y" or "you cannot reach this state from here."

Productive vs. Unproductive Friction

Friction is neutral. It describes resistance, not valence. What matters is whether the resistance serves a protective purpose.

Productive friction resists an action because that action represents a real failure mode. The resistance is proportional to the risk: compile errors for type mismatches prevent runtime bugs; required authorization parameters prevent security bypasses; deprecation messages with migration guidance signal required upgrades.

Unproductive friction resists an action without offering protection in return. An API that requires six configuration parameters when three would suffice. A required parameter that always takes the same value. A permission check that runs on a method that has no security implications. This friction imposes overhead without preventing failure. It is waste.

The test for productive friction is direct: Does this resistance protect against a real failure mode? If yes, the friction is load-bearing. If no, it is overhead. When you cannot answer this question about a constraint in your own code, that is a sign the constraint should be examined — and possibly removed.

Anti-Affordances Communicate Intent

A well-designed anti-affordance does not only prevent the wrong action; it guides the engineer toward the right one. This is the difference between an anti-affordance and an obstacle.

A @Deprecated annotation is an anti-affordance. It makes a method uncomfortable to use by surfacing a compiler warning. But the strongest form of this annotation includes a migration message: @Deprecated("Use PaymentClient.refund(RefundAuthorization) instead"). The anti-affordance says: not this; here is what instead. That is communicative design.

A compile error is an anti-affordance. A compile error with a specific, actionable message is a better one. The error prevents incorrect usage; the message guides toward correct usage. Both halves matter.

Concrete Example

The PaymentService library has a refund() method. Here is the version designed without an anti-affordance:

// Poor affordance
class PaymentClient {
  refund(transactionId: string, isAdmin: boolean): Promise<PaymentResult> {
    if (!isAdmin) {
      throw new Error("Unauthorized");
    }
    return this.processRefund(transactionId);
  }
}

This design affords misuse. The isAdmin boolean is a flag that any caller can set to true. Copy-paste errors will propagate it. In a codebase where refunds are processed in multiple places, some callers will hardcode true because they saw another call that way. The check is in the implementation, invisible at the call site. The method signature says nothing about authorization requiring an escalated credential — it just accepts a boolean.

Now the designed version:

// Strong affordance
class PaymentClient {
  refund(
    transactionId: string,
    authorization: RefundAuthorization
  ): Promise<PaymentResult> {
    return this.processRefund(transactionId, authorization);
  }
}

The RefundAuthorization object — a physical constraint — makes unauthorized refunds impossible without explicit permission elevation. You cannot call refund() by accident with elevated privileges. You must have obtained a RefundAuthorization from wherever the authorization system produces them. The constraint is visible at the call site: every call to refund() must supply authorization. There is no true to copy-paste.

This is the pit of success applied to a security boundary. The correct path (obtain authorization, then refund) is the only path. The wrong path (refund without authorization) requires actively working around the type system.

Now compare the LegacyPaymentClient handling. The platform team has decided this class should not be used in new code. Here are two approaches:

// Poor affordance
class LegacyPaymentClient {
  // Prefer PaymentClient for new implementations
  charge(amount: number, currency: string): Promise<void> { ... }
}

The comment is documentation, not a constraint. Engineers who do not read comments will keep using LegacyPaymentClient. Engineers who read code in autocomplete menus will not see the comment at all.

// Strong affordance
/** @deprecated Use PaymentClient instead. See migration guide: docs/migration/v3.md */
class LegacyPaymentClient {
  charge(amount: number, currency: string): Promise<void> { ... }
}

The @Deprecated tag — a logical constraint expressing cultural pressure — surfaces a compiler warning at every call site. It does not block usage (a lockout would do that), but it makes the usage visible and uncomfortable, guiding migration without forcing it. The annotation includes a migration path, making the anti-affordance communicative rather than merely obstructive.

Analogy

Child-resistant caps on pharmaceutical bottles are the canonical example of productive friction. The cap is deliberately difficult to open for small hands. Opening it requires a specific technique — push down and turn, or align arrows — that adults learn quickly but small children cannot easily replicate.

This friction accepts a real usability cost. Adults open medication bottles slightly less conveniently. But the tradeoff is explicit: the friction prevents accidental poisoning. The designers calculated that the cost (minor inconvenience for adults) is worth the protection (preventing a deadly failure mode). No one would argue for removing the cap's friction on grounds that it slows down users.

The RefundAuthorization parameter is the same tradeoff. It makes every call to refund() slightly more verbose — engineers must obtain and pass the authorization object. But the friction prevents a real failure mode: unauthorized refunds. The extra parameter is the "push down and turn" of API design.

The analogy breaks down in one place: pharmaceutical caps are a blunt instrument. They slow down everyone, including people with arthritis who genuinely struggle. This is why over-designed anti-affordances are a real problem — friction calibrated to the wrong audience or protecting against a non-existent failure mode is waste, not safety. More on this in Common Misconceptions.

Going Deeper

The Cost Calculation Is an Engineering Decision

Anti-affordances are tradeoffs, not free wins. Every constraint imposes a usability cost on the engineers who use the interface. The engineering decision is whether that cost is worth the protection.

This calculation has three variables: the probability of the failure mode the constraint prevents, the severity of the failure (how bad is it when it happens?), and the cost of the friction imposed. A physical constraint that prevents a low-probability, low-severity bug while imposing significant overhead every day is probably miscalibrated. A physical constraint that prevents an infrequent but catastrophic security breach at the cost of one extra parameter is almost certainly worth it.

Making this calculation explicit is part of the engineer's job when designing an interface. Write it down. The RefundAuthorization parameter exists because unauthorized refunds are financially catastrophic; the verbosity overhead is small. That reasoning belongs in a comment or an ADR, not in someone's head. When the constraint is questioned later, the reasoning must be available — otherwise constraints get removed because they are inconvenient, and the failure mode they prevented becomes real.

Anti-Affordances at the Architectural Level

Anti-affordances are not limited to method signatures. Service boundaries function as anti-affordances when they enforce network-level separation: a microservice that communicates only through an event bus makes direct database access impossible for other services — a lockout enforced not by a type but by topology. Infrastructure-as-code configurations can prohibit production writes without an approval workflow — an interlock encoded in deployment infrastructure.

Module 03 covered these mechanisms as constraints. The point here is the same: when those constraints are deliberate, they are anti-affordances functioning at the architectural scale. When they arise from drift or accident, they are affordance degradation.

The Forcing Function as Communication

The strongest forcing functions communicate not just "you cannot do this" but "here is the path forward." A transaction that must be committed or rolled back tells engineers: there is no exit from this state without resolution. A build pipeline that requires tests tells engineers: untested code does not exist in this codebase. These constraints encode team values in system structure. Engineers who are new to the codebase learn the values by encountering the constraints — a form of documentation that cannot be ignored.

Common Misconceptions

1. Anti-affordances and affordance degradation are the same thing.

This is wrong. Anti-affordances are intentional: a designer made a deliberate choice to make an action difficult. Affordance degradation is unintentional: a system's ability to communicate correct usage has eroded over time through neglect, convention drift, or documentation rot. Confusing them leads to wrong responses — treating a deliberate constraint as a bug to fix, or treating an accidental obstacle as a legitimate design choice. The question to ask is always: was this friction authored, or did it accumulate?

2. More friction always means more safety.

This is wrong. Over-constrained APIs that prevent legitimate usage patterns are themselves a form of affordance failure. If PaymentClient.refund() required not just a RefundAuthorization but also a notarized approval, a secondary authorization from a different system, and a time-window check — engineers would route around it. They would find another path: a lower-level API, a database write, a workaround that bypasses all the safety checks. Anti-affordances that are disproportionate to the failure mode they prevent do not produce safety; they produce creative circumvention. The pit of success leads to the right success, not to an inaccessible success that engineers give up on.

3. Productive friction only shows up as compile errors.

Compile errors are one form of productive friction, but far from the only one. Code review gates that require a second approval before deploying to production — a cultural constraint — are productive friction. A @Deprecated annotation that creates a visible warning without blocking compilation is productive friction. An event schema that requires an explicit version field makes consumers handle versioning correctly — productive friction encoded in a data contract. Productive friction shows up at every layer: in type systems, in tooling, in process, and in team culture. Physical constraints are not the only mechanism.

Check Your Understanding

  1. The PaymentService team adds a convenience method: refundWithoutAuth(transactionId: string). It skips the RefundAuthorization requirement for "low-risk, small-amount refunds." What problem does this create, and how does it relate to the pit of success?
Reveal answer The convenience method creates a pit of failure alongside the pit of success. Engineers who encounter both methods will route toward the one that requires less work — `refundWithoutAuth` — regardless of the risk level. Copy-paste patterns will spread its use to cases that are not low-risk or small-amount. The anti-affordance in `refund()` is now circumventable by the mere existence of the simpler alternative. Pit of success design requires that the correct path be the path of least resistance; if there is an easier alternative, it becomes the default. The correct fix depends on the use case: either make low-risk refunds use a distinct type (e.g., `SmallRefundAuthorization`) with its own escalation path, or eliminate the bypass entirely and make the authorization lighter to obtain.
  1. Identify which of Norman's three forcing function types applies to each of these patterns: (a) a TypeScript readonly modifier on a returned object, (b) a database migration tool that requires running db.beginTransaction() before any write operations, (c) an API method that only exists on an AdminClient class, not on the base PaymentClient.
Reveal answer (a) `readonly` is a **lockout** — it prevents access to a class of actions (mutations) entirely. The engineer cannot mutate the object; the type system makes it unrepresentable. (b) `db.beginTransaction()` as a prerequisite is an **interlock** — it enforces sequence. You cannot write before opening a transaction; the transaction must be opened before the write can proceed. (c) A method that only exists on `AdminClient` is a **lockout** — engineers who do not hold an `AdminClient` reference cannot reach the method at all. The elevated credential is required to obtain the reference.
  1. A team argues: "We should remove the RefundAuthorization requirement because it slows down engineers and they end up just creating dummy authorization objects to get past it." How do you evaluate this argument through the anti-affordance lens?
Reveal answer The argument is describing a real problem: if engineers are creating dummy authorization objects, the anti-affordance has failed to protect against its intended failure mode. But the conclusion — remove the constraint — may be wrong. The right diagnostic question is: *why* are engineers creating dummy objects? If the authorization system is genuinely cumbersome to use correctly (perhaps `RefundAuthorization` is hard to obtain in tests or internal tools), the problem is the authorization *obtaining* mechanism, not the requirement to have one. The fix is to make legitimate authorization easier to obtain, not to remove the protection. If, on the other hand, the `RefundAuthorization` requirement genuinely protects nothing meaningful — if any engineer can get one trivially and there is no actual security boundary — then the anti-affordance is unproductive friction and should be reconsidered.
  1. You are reviewing a pull request. The change adds a required requestId: string parameter to every method in PaymentClient for idempotency. Is this productive or unproductive friction? What information would you need to decide?
Reveal answer You need to know whether idempotency failures are a real and significant failure mode for this system. If the `PaymentService` is called in contexts where network failures and retries are common (mobile clients, unreliable networks, distributed systems), requiring an idempotency key is productive friction — it prevents duplicate charges, which is a financially severe failure. If the service is called only from server-side, synchronous, single-caller contexts where retries never happen, the parameter imposes overhead without protecting against a real failure. Also relevant: how easy is it for callers to generate a valid `requestId`? If it requires a specific format or is hard to generate correctly, the friction may exceed its protective value. Productive friction is proportional to risk.
  1. What is the difference between an anti-affordance and a bug?
Reveal answer An anti-affordance is intentional. A designer chose to make an action difficult or impossible because doing so prevents a failure mode. A bug is unintentional — behavior that departs from what the system was designed to do. In practice, the two are sometimes confused: a constraint that prevents a valid use case may look like a bug to the engineer blocked by it. The distinguishing question is: was this designed? If the constraint was deliberate — documented in an ADR, expressed as a `@Deprecated` annotation, implemented as a required type parameter — it is an anti-affordance worth understanding before removing. If it arose from an oversight or implementation error, it is a bug. Removing anti-affordances without understanding why they were designed is how failure modes get reintroduced.

Key Takeaways

References