Usability vs. Security? It's becoming a dated conundrum

Conventional wisdom in security tells us that the more we increase user friendliness, the less secure a solution or system becomes. It's like the old Cyber Security joke: " Q. What's the definition of a totally secure computer? A. One at the bottom of the ocean, isolated, and encased in a block of concrete!" Tamper proof - most likely, but not very usable!

A frequent discussion point coming up at last month's eCrime & Cybersecurity Congress in London was that new security technologies actually reduce friction in the consumer journey, particularly in the payments ecosystem.

A particularly good example of this is the EMV 3DS protocol used in Card Not Present transactions when online shopping. This captures, amongst other attributes: consumer IP address, browser type, browser version, resolution settings, device type which all help to build up a profile of the consumer. This happens seamlessly in the background, and is completely invisible to the end-user, allowing an issuer to make an informed judgement as to whether the behaviour falls outside the 'normal' activities for the payer and therefore whether the transaction is deemed to be risky or not and whether the consumer needs to be "stepped up" in terms of authentication.

Similarly the use of biometric technologies have increased security but at the same time have reduced consumer friction. Many people are familiar with fingerprint readers present on many tablets and smartphones. This allows consumers to replace passwords with biometric authentication via their fingerprint, or where a higher level of security is preferred. Unlike passwords, which can either be socially engineered or potentially compromised, authentication via fingerprints is much more secure [yes - the author is aware of multi-factor authentication bypass as recently published, but this is an issue with token replay rather than an issue with the underlying means of authentication itself. For my part, I still think biometric is much safer than static passwords, simply because technology aside, passwords will always be subject to social engineering and password hygiene, both of which are in the hands of the end-user to some degree].

Behavioural biometric is a relatively new concept in practice although it has been around in theory for quite a while. In this case, a user is profiled via behaviour, rather than physical characteristics. A popular current implementation is to capture the typing of a piece of information unique to the user (such as their email address) and then record over time the rate and delay at which the user types this information. This is very accurate profiling, and crucially happens transparently to the end user. It is also impossible to socially engineer, and when used in conjunction with a second factor, is highly secure.

Similarly, when considering usability of applications within organisations as employees, wherever possible organisations should be thinking about user federation , rather than expecting employees to authenticate separately into cloud-based solutions. Whether you wish to outsource your identity provider or not will largely depend upon the circumstances of the vertical you work in and your risk appetite; but either way, you should have a single source of truth for identity and the capability to federate access to applications seamlessly and invisibly to end-users, without necessitating yet more passwords to remember!

In short, I'm not sure that the old security paradigm of "more security = less usability" holds true all the time in the 2020s. Just because security is invisible or requires less steps for the end user doesn't mean it's less secure. Often today, it means quite the opposite!