I’ve become very focused on the nexus between security and usability. I was interviewed for an article in The Guardian last year.
“Security needs to learn from design by doing focus groups, having conversations and putting itself in the perspective of the people who will use this system,” he said, adding that it isn’t the security team’s job to make things harder for the user. “Rather than saying, ‘this is what you have to do for security’, you have to balance security and usability.”
I expanded on this topic with a conference session at the O’Reilly Security Conference in New York. The main takeaway from my talk was that those that say “you have to balance security and usability” as an excuse for why one is inferior will be left behind. Businesses now require their digital efforts to have both security and usability at their core. If one is less than the other, it will be ultimately be surpassed. If a product is insecure, it will ultimately be unusable because of the fact it will be hacked or compromised. Similarly, if a product is very secure but unusable, individuals will avoid using it.
A great example of security and usability is provided by a bank we’re working with overseas. They have a smartphone app that allows you to authenticate to the bank, select an ATM, and an amount of money. The app then gives you a one-time-code which allows you to walk up to that machine and withdraw that amount of money. You don’t need your card, and you don’t have to worry about your money being stolen or your PIN being observed. The code is valid once for that exact amount of money. You can even use it to effectively wire money to your college student–“You need money for food this weekend? Go to this ATM and type in this code for $40.”
I’m always interested in hearing stories of successful usable security – as well as horror stories about unusable security. I invite you to contact me with your stories!