Get best of the week

Why convenience vs security is not a tradeoff

Since 2014, I have been working on the security of mobile and web applications. I heard many times from different people and in different contexts about the “usability vs security tradeoff”, and from the very beginning I saw this as some kind of catch. In this post I will share my opinion on why, in my opinion, this is not a tradeoff, and in fact it should be abandoned for a long time.

image

What it is


Usability vs security tradeoff usually means the following pattern: the safer the process, the more inconvenient it is.

image

I will explain with simple examples what is meant:

  • The qwerty password is convenient, insecure. A long password with different characters is safe, inconvenient.
  • Running the code immediately in production is convenient, insecure. Checking it with security tools and conducting an audit is safe, inconvenient.
  • Crossing the street whenever you want is convenient, unsafe. Crossing the street to green is safe, uncomfortable.
  • As you can see, we can talk not only about software, but under “convenience” various parameters can be hidden. Nevertheless, the pattern is obvious.

What could go wrong


In practice, the user is often not ready to accept the inconvenience and replaces the “safe, uncomfortable” process with “unsafe, less inconvenient”:

image


Safe inconvenient process will not give security if not used. The difficulty is that we cannot decide for the user what to do. We can offer a process that we think is right. Whether or not to follow this process is the user's choice.

What to do


First of all, you need to turn back to the forest, and to the user in front. It’s strange to even offer the user a “safe, uncomfortable” process, because our job is to organize a convenient one. Let's give up the idea that in order to get security, we need to sacrifice usability, and try to combine them in one solution.

image

Our examples will then take the following form:

  • . -. , .
  • , , , . . , .
  • , .

To get such a result, we had to abandon the arrogant thought that the user, by his stupidity, refuses a safe solution. On the contrary, the user, because of his rationality, chooses the solution that is more convenient for him. And our task is to make it safe.

The correct mindset


The idea that security is not combined with usability is still heard quite often. Some go further and make the statement that a truly safe process will always be inconvenient, which means that it is available only to specialists. I think this approach is fundamentally wrong.

Security is a mass market. You can’t be sure of the safety of your social networks if your friends have a qwerty password: an attacker will write to you on their behalf and your money will be in danger. Accordingly, safe ways of storing passwords (as well as other tasks) should be accessible to the average user.

Gradually, more and more responsibility falls on mobile and web applications: everyone has banking applications in smartphones, and someone else has crypto wallets. We can prevent stupid and offensive loss of funds only if we initially think about security and convenience as complementary things. An inconvenient process cannot be safe because the user will not follow it.

Posted by Ivan Ivanitsky, Lead Analyst, Solar appScreener

Source: https://habr.com/ru/post/undefined/

More articles:


All Articles