Security & Usability

Traditionally, access to secure areas or sensitive information has been controlled by possession of a particular artifact (such as a card or key) and/or knowledge of a specific piece of information such as a Personal Identification Number (PIN) or a password. Today, many people have PINs and passwords for a multitude of devices, from the car radio and mobile phone, to the computer, web-based services and their bank information.

Herein lies a major difficulty involving the trade-off between usability, memorability and security. Methods for increasing security, such as regularly changing PINs and passwords, increasing their length, ensuring they do not form words and ensuring all are different, makes them more difficult to remember and, therefore, error-prone. Alternatives to the traditional Personal Identification Number (PIN) have also been investigated for instance using pictures instead of numbers.

Of course, traditional methods rely upon the assumption that the artifact (such as key or card) will be in the possession of the rightful owner and that the information to activate it will be kept secret. Unfortunately, neither of these assumptions can be wholly relied upon.

It has been noted that if people are permitted to choose their own passwords they tend to select ones which are easily guessed. People tend to choose ones that are related to their everyday life. They choose passwords which are easy to remember, and, typically, easily predicted, or they change all PINs to be the same. Also, people are often lax about the security of this information and may deliberately share the information, say with a spouse or family member, or write the PIN down and even keep it with the card itself.

Biometric techniques may ease many of these problems: they can confirm that a person is actually present (rather than their token or passwords) without requiring the user to remember anything. So far, however, the growth of biometrics technologies has been driven by a mainly system-centred approach, dealing with the problems of unique digital identifier extraction, template handling and recognition algorithms.

I’m a huge advocate of User Centric Design. Yet in a corporate world, what the end user wants is often insufficiently taken into account by the designer or decision maker. This is less the case in consumer facing applications, but when it comes to applications for employees my experience is that usability isn’t high on the priorities list.

It's time IT need to involve the pro user in what security means in their professional life, just like the Bring-Your-Own-Device wave,  we should be thinking how to facilitate Bring-Your-Own-Identity. The first thing to do is to place the user in the centre focussed on how users want to experience security, they are already convinced of the necessity. User Centric Design will result in better usability, quicker adaptation and higher productivity.