Usability for Security

A common information security axiom is that deciding how to security harden something is always a compromise between usability and security. More usability means less security. More security means less usability.

An obvious example is usernames and passwords for operating system accounts and online services. Ordinary people have had to remember passwords for online services since use of the web exploded in the 1990s. By the first decade of the  21st century, most adults in the developed world now have to use multiple sets of authentication credentials for numerous social networking sites, online banking, and ecommerce sites such as Amazon.

Easily remembered passwords are more usable but much easier to crack, as they typically are a word or phrase and a series of numbers tied to important dates. More complex passwords take a lot more time and effort to crack, but they’re difficult to remember and less usable. Ideally, end users should use a different password for each service they authenticate with, and change those passwords every few months or so.

However, that’s challenging even for a cybersecurity professional. Password management programs make doing all that much easier by letting the user have one set of credentials to unlock all of their other credentials. But then you have one point of attack to authenticate everything a user has online.

But lately, I can think of a few ways where usability and security are friends rather than foes.

Earlier this year, I wrote about a few security vulnerabilities that were due to bad UX design. Good UX design makes applications easier for people to use. It can also make it easier for end users to configure applications securely.

There was a flaw in the ASUSWRT firmware GUI which is used by multiple ASUS models of home routers. Even if “Enable Web (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Kim Crawley. Read the original post at: https://threatmatrix.cylance.com/en_us/home/usability-for-security.html