Monday, September 3, 2012
Security controls have side effects which affect user experience
Most security controls are like drugs which cure potent diseases but bring along undesirable side effects. These side effects affect the ease of use of most electronic devices such as ATM’s, biometric devices, login on or even enrollment on web sites. Design of controls must focus on how controls can be misused to eliminate or reduce these side effects. The best way, though difficult to implement, is to tuck security in the background where it works silently and invisibly. Would we all not like to pay using our credit card online, without the filling in of a lengthy form?
Take the case of the Reserve Bank of India (RBI) doing away with the cash retraction systems in ATM’s as it found that there were large numbers of dubious claims on the non receipt of cash. The security feature helped customers in instances when ATM’s did not disburse cash quickly and was left behind by customers who thought the ATM was not working.
Another example is the locking of accounts after a fixed number of failed authentication attempts. This feature protected users from a variety of automated password attacks, reducing the risk of account compromise where the password strength was low. The same feature can also be used to create a minor inconvenience, if the account is deliberately locked by malicious individuals.
CAPTCHA is another feature, which prevents automated attacks during enrollment on web sites, but with the sophistication in machine reading the design of CAPTCHA phrases are becoming complicated for humans to read too. Invariably user success comes after a few tries.
There are many more such examples. Our challenge is to recognize the side effects and work out ways to minimize them, rather than let customers live with them. This requires better architectural designs and innovation in security technology.