The Security Panacea: Striking Balance with Usability

I sat down with Manuela Marques, tyntec’s Product Marketing Director and Isaac Potoczny-Jones, CEO of Tozny, a leader in multi-factor authentication systems, to discuss the common mistakes brands make with security and provide insight on how brands can balance security and usability.

When thinking about the state of security amongst consumer-facing brands, do you think they’re doing enough to protect consumer information?

Isaac (Tozny): Security is an investment that takes a lot of discipline for brands because it’s invisible until something goes wrong. Brands prioritize getting products to market, pushing features, and increasing sales — security is often an afterthought. But once there’s a breach, it’s a much more costly problem to fix. Before the breach, you just had to plug the hole, after the breach you have to plug the hole, perform an investigation, inform impacted users, help them recover their privacy (which is often impossible), and even pay fines in some industries.

Manuela: Striking a balance between convenience and security is vital for long term success. In some ways, it’s a false dichotomy — when usability decreases too much, so will security because end users tend to work around usability issues, which in turn causes security problems. I think the best solution is getting security integrated into the product design cycle way earlier. Security measures should be part of usability testing for every product, and we in the security community should strive to implement easier-to-use security measures.

We’ve seen several catastrophic security breaches over the years, is there a common issue at play?

Isaac: One pattern is lack of two-factor authentication. In the cases of the Target and Home Depot data breaches, the original vulnerability was related to third party passwords or credentials stolen by the attackers. Two-factor authentication, like SMS one-time passwords, could have protected those systems to a large extent.

At the same time, attackers are becoming increasingly automated. And human beings can’t be as mechanical as the attackers — we are going to make mistakes because we are human. We’re literally asking people to memorize complicated passwords — 10 digit, mixed case passwords, which have to be different for every single site — this is challenging for a lot of people. And very few security regulations acknowledge that they are asking users to do the impossible.

What about security regulation?

Isaac: I think there’s going to be a lot of confusion around regulation that discourages good security. The UK just passed a rule saying that secure products have to hand over crypto keys, but the most secure products actually are designed to make this impossible (since having a back door makes key management much harder). The US drafted similar legislation, but it didn’t go anywhere. These rules will definitely discourage good security, which frankly is hard enough, since companies and developers will be have to get their lawyers to tell them whether something is “too secure” to be legal.

Do you think two-factor authentication will one day become a requirement?

Isaac: Many organizations are adding two-factor authentication to their products, but most of them don’t turn it on by default. But most users do indeed keep most defaults; that’s a rule for usability that’s been known for a long time. We need to start having “security by default” or we just won’t have security. Considering security by default will also force the issue and design the experience better.

In the US, it’s very unusual to require security as a matter of law for commercial entities, particularly for specific solutions like 2FA. I don’t think that will change any time soon.

Manuela: I believe making two factor authentication optional is a no-go, authentication should be an intrinsic part of the customer journey. If it were on default, two things would happen: One, more users would have it on; two, brands would really consider, from the get-go, the usability of two factor authentication and how they could make it easier.

Currently, many brands are not very context-aware about how they integrate authentication measures, often resulting in broken user experience.

For example, when a user tries to change her account profile on your mobile app, but can’t remember her password, you pretty much know the user is on her mobile device, most likely a mobile phone these days; which means a phone-based authentication method, such as phone number information and 2FA SMS, might be a better choice, rather than sending her an email.

With changes ahead and new innovative products to market, it’s critical for the industry to address one of the most pressing issues of our time: balancing usability and security to protect our consumers, employees, networks and brands.

How can brands compete on usability while maintaining an excellent level of security?

Isaac: I agree with Manuela that this is a false dichotomy. Security and usability go hand-in-hand. At the earliest possible stage of product development, brands should identify security goals, and of course I think more brands should strive for excellent security. Once security goals are set, the team should identify system requirements to implement those goals, but when it comes to user experience, don’t just “make do” with typical approaches. Explore the design space hand-in-hand with security experts to reduce friction in security processes just like every other process. For instance, make enabling 2FA the easy option; explore alternate methods like geo location, biometrics, and push-based login; encrypt data by default; design user visibility and privacy in from the ground-up. In the end, the product will be both more usable and more secure.