Security versus usability a conundrum in modern identity management?

Convenience and usability vs. security when dealing with a valuable verified identity

Network World: IoT Hacks [slide-06] > Lateral Attacks > Network access via a single breach point
HYWARDS / Getty Images

I read a LinkedIn post recently which asked that age-old question “is convenience more important than security when it comes to the identity of consumers?”

This question, in some guise or other, has been doing the rounds for as long as I can remember. One of the reasons for the demise of certain technologies has been that they may provide excellent security, but they are too difficult to use. Pretty Good Privacy (PGP) springs to mind as an example.

The basic premise of PGP was solid. An encryption pipeline that secured email messages from sender to recipient - what’s not to like? The technology was used by people who really needed to protect messages almost on pain of death. So, for example, political journalists, whistleblowers, etc. But PGP never really took off commercially, and certainly not amongst the general public. An interesting study from a 2005 USENIX symposium, on the usability of PGP, found that, even though the technology had a seemingly well-designed UI, most users were unable to use PGP to easily encrypt messages.

In 2018, we now have a good grasp of the importance of a good UX and UI. But, when it comes to the security of digital identity, especially identity for the masses, how do we balance usability with security and add in a dash of verification too?

The UX of security

upper case, lower case, capital letter, number

If someone finds it hard to use a function she or he won’t use it. The Nielsen Norman Group do some excellent work in the area of usability of online sites and services. Their work is general online user experience improvement, but they have also analyzed security. In their work which dates back to 2000 on “Security and Human Factors” their advice on password policy, pre-dated the NIST more recent advisory on password complexity by over 15 years. NIST now advise that increasing password policy complexity defeats the object, as it creates a false sense of security.

The UX of security is a vital part of online identity platform design.

You should not have to choose security over usability or vice versa; instead, you find balance. As has often been the case in cybersecurity over the last 30 years, there has been a push towards ‘hardening’ or battening down the hatches. As in the password case above, it seemed like a good idea to apply a password policy that encouraged a user to pick a “strong” password. The result, was instead, a litany of forgotten passwords, passwords written down on paper and left on desks, or even worse, the practice allowing hackers to know exactly how to configure their brute force tools based on the policy “upper case, lower case, capital letter, number”. Since then, solutions like the open source “zxcvbn: realistic password” has opened up options to use passwords that are both usable and secure.

Many aspects of designing the UX of security within a digital identity platform need to have a pragmatic approach to security vs. usability. We should also try and look to past years to learn from our mistakes and see where we can design for better UX and more usable security. Some examples of areas that need to have a design eye view of the system to build great UZ without compromising security are:

  • Second-factor authentication: Offer a choice of 2nd factors not just force one option. For example, allow users to choose from email code, SMS text code, mobile authenticator, passphrase, etc.
  • Risk-based authentication: This is a powerful way to balance security and usability and is at the core of the UX of security. You should be able to apply a system of rules which suppress, or uplift, authentication requirements based on those rules. For example, a user could suppress the need to enter a 2nd factor if a certain device, in a certain geolocation, is used with their identity account.
  • Consent: Consent to share data can be a dynamic exercise when applied to identity data sharing. If using OAuth 2, for example, you can set rules to take consent, once only, for a recurring transaction or have consent taken always on a per transaction basis.
  • Verification: I spoke about this in an earlier post “The Thorny Issue Of Verifying Humans.” Verification is an important aspect in determining the validity of a digital identity. However, it is also a usability hurdle. Getting the balance between a high level of verification and meeting on-boarding targets is a golden chalice in the identity space. To meet this goal, you need to make the registration process for an online identity as easy as possible. This is one of the hardest areas of designing IAM, especially identity for wide demographics.

Can we ever have usable, secure identity systems?

I believe we can, but we have to build a UX for security. Research by Javelin found that in 2017, 16.7 million US consumers were victims of identity theft. The losses amounted to almost $17 billion dollars. As our digital lives become ever-more naturalized we become ever-more dependent on this digital “me.” As designers of digital identity platforms, we need to make sure that the tools at our disposal are as flexible as possible to allow us to create a great UX whilst maintaining the best possible security.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)