Why usability vs security is not a tradeoff

Since 2014, I have been working on the security of mobile and web applications. Many times I heard from different people and in a different context about the “usability vs security tradeoff”, and from the very beginning I saw this as some kind of catch. In this post I will tell you what kind of tradeoff it is and why, in fact, it is worth giving up on it for a long time.
image

What it is

Usability vs security tradeoff usually means the following pattern: the safer the process, the more inconvenient it is.

image

I will explain with simple examples what is meant:

  • Password qwerty – convenient, insecure. A long password with different characters is safe, inconvenient.
  • Running the code right away in production is convenient, unsafe. Checking it with security tools and conducting an audit is safe, inconvenient.
  • Crossing the street whenever you want is convenient, unsafe. Crossing the street to green is safe, uncomfortable.
  • As you can see, we can talk not only about software, but under “convenience” various parameters can be hidden. Nevertheless, the pattern is obvious.

What could go wrong

In practice, the user is often not ready to accept the inconvenience and replaces the “safe, uncomfortable” process with “unsafe, less inconvenient”:

image

  • It is difficult to remember a long password with characters of different registers, so it is one for all accounts in social networks and online stores. Some of them accurately store passwords in plain text and either lose them or sell them. Including, I remind you, our password for everything.
  • The IS Department has obliged developers to run the code with a security verification tool. But the tool every time gives a bunch of vulnerabilities, it is not clear where the old, where the new. As a result, no one corrects them.
  • The traffic light is set incorrectly, it takes a very long time to wait for the green one, while there are no cars, and people decided to switch to red.

A safe, inconvenient process will not give security if not used. The difficulty is that we cannot decide for the user what to do. We can offer a process that we think is right. Whether or not to follow this process is the user’s choice.

What to do

First of all, you need to turn back to the forest, and to the user in front. It’s strange to even offer the user a “safe, uncomfortable” process, because our job is to organize a convenient one. Let’s give up the idea that in order to get security, you need to sacrifice usability, and try to combine them in one solution.

image

Our examples will then take the following form:

  • We do not offer the user to remember many long passwords. We suggest that he use the key manager and remember one strong master password. Ideally, the key manager should be built into the browser so that it does not have to be copied every time.
  • The security tool monitors which vulnerability is old and which is new, and displays them separately. The user sees the history of work with this vulnerability and understands the context. Work has become easier, vulnerabilities are eliminated.
  • The traffic light time is calculated taking into account the flow of cars and people, no one has to wait long.

To get such a result, we had to abandon the arrogant thought that the user, by his stupidity, refuses a safe solution. On the contrary, the user, because of his rationality, chooses the solution that is more convenient for him. And our task is to make it safe.

The correct mindset

The idea that security is not combined with usability is still heard quite often. Some go further and make the statement that a truly safe process will always be inconvenient, which means that it is available only to specialists. I think this approach is fundamentally wrong.

Security is a mass market. You can’t be sure of the safety of your social networks if your friends have a qwerty password: an attacker will write to you on their behalf and your money will be in danger. Accordingly, safe ways of storing passwords (as well as other tasks) should be accessible to the average user.

Gradually, more and more responsibility falls on mobile and web applications: everyone has banking applications on smartphones, and someone else has crypto wallets. We can prevent stupid and offensive loss of funds only if we initially think about security and convenience as complementary things. An inconvenient process cannot be safe because the user will not follow it.

Posted by Ivan Ivanitsky, Lead Analyst, Solar appScreener

Similar Posts

Leave a Reply