There’s an enormous misconception that security means turning everything off and locking it up. The problem is that when you do that, your data, devices and systems become unusable.
Security is not synonymous with difficulty, and usability does not necessarily mean insecure.
You can have good security and usability – in fact, that is something we should strive for.
Deliver on the expectation of good user experiences
In the past we were far more tolerant. In the past, you had to wind up a car to start it. Today you press the ignition button and you’re off to the races.
Or, consider how our entertainment viewing experiences have changed. In the good old days, we used to go out to buy or rent a DVD. We came home, plugged it into a box and played the movie. Now we point our device to a URL, scroll through hundreds of movies and click on one.
We’ve made things easy for ourselves, which has made us more demanding. People today want things now and expect them to just work – and it can’t be buggy.
I think I would scream blue murder if my Game of Thrones stopped playing.
Don’t make security an option, make it so
Organizations that want to ensure security while enabling usability should create solutions that are secure by default. Make sure that systems are designed for security within them rather than bolted onto them. And make sure encryption is turned on by default.
This approach prevents users from turning off security features. When devices don’t perform as expected, the first thing to go is security. People tend to value availability over factors like integrity and confidentiality of data. Yet people also are quite concerned when others use their credit cards. So, by default, organizations need to implement security.
One of the things we do to make our hardware security modules secure by default is by dividing credentials for access. A loose analogy is the Horcruxes in Harry Potter. Voldemort gets put together when all the cardholders come together. But, in the case of security, it’s a good thing.
If you’re a financial organization, how do you prevent the insider attack where worker Bob can steal everything if he’s got the key? The way we solve that is by using secret sharing, where keys are split into separate fragments and distributed amongst a group. That way, you have to have to persuade multiple people to get access, so Bob can’t function on his own.
Employ password managers and two-factor authentication
Passwords are a commonly used facet of security, but they can be hard to remember. As passwords get longer and multiply, people end up writing them on sticky notes. That results in a less-than-secure solution because then other people can read the passwords.
Kevin Mitnick, one of the greatest social engineer hackers, suggests using a password manager. The famed hacker-turned-cybersecurity advisor explains that a password manager stores passwords in a secure way. Passwords provide security. Password managers make life easier.
Two-factor authentication delivers an added layer of security. And apps like Google Authenticator and Microsoft Authenticator can be used as a second factor to authenticate users.
These apps are preferable to two-factor authentication (2FA) that rely on SMS confirmation. The problem here is that SMSs are based on Signaling System 7 (SS7). SS7 is a legacy telephone network technology that is easily hackable. That’s a landmine you don’t want to step on.
Also, the process for getting new SIMs is not very secure. I could call a cellular provider, say I am you, and request a new phone number. Then if I log into something, the SMS verification message comes to me. It’s relatively easy to do these SIM swapping attacks, so education is key. So is avoiding SMS-based 2FA.
Appreciate the user workflow and assess the risk
To understand usability, you have to appreciate what people are trying to do and make it easier for them. Rather than giving them lots of tasks and decisions to make, you need to make things simple. That’s why user interface design is so important.
When designing security controls, you can draw thick red lines around things to keep people away. But you can strike a better balance of you have an appreciation of what users are trying to do, what the risks are and what can go wrong.
Maybe the system locks me out of something minor if I do something wrong. That’s less of a cost than outsiders getting into the system, elevating privilege and gaining access to secrets.
You have to cut your cloth to fit. Threat analysis and costing of the impact can let you do that.
Just do it – make it work
Consumer expectations and the move to the cloud are making things easier to use. And it’s way easier to do things in software than on physical devices. But the risk is much greater.
However, people don’t want to have to enter a bunch of codes to watch a movie. But they will complain if something goes wrong, so you’ve got to build in security and make it easy.
Usability and security actually go hand in hand. If you have usability, by default you should have security designed into it. You’ve got to make it transparent to users and just make it work.