User Friendly vs Secure
Security is sometimes compared to healthy food. Quite a nice analogy: we all know we should eat healthy but we don’t always do it. The same is true for security: even though we know security measures are important, we sometimes favour a situation that is less secure. For various reasons.
I often experience this as well when I have the role of that little voice inside people’s head that tells them to eat healthy even though they feel like having a quick unhealthy snack. As a security consultant it is my job to point out flaws in a design and that can clash with other people’s wish to create something user friendly. To some, a secure interface is almost the exact opposite of having a user friendly interface. But that is what makes the job interesting: find a middle way between a user friendly customer journey without making compromises when it comes to security.
This can sometimes be a tricky battle. When something is built from scratch security is included. But after the go-live small improvements are always made and this is where the tricky part begins. While there might have been a strong focus on security during the initial development, improvements usually focus on improving the user experience. I’ve often seen proposals for a better user experience where quite literally security measures where removed from the design. And not with bad intent: people often simply don’t oversee the consequences and focusing strongly on UX, they start peeling off the security layers.
The funny thing is that it seems this doesn’t only happen in the digital world!
When you go to the supermarket you have to insert a coin in a shopping cart in order to be able to use it. At least, that’s how it works here in The Netherlands. I still remember when this security measure was introduced. At that time it wasn’t uncommon to see shopping carts abandoned in the street or find them thrown into the bushes. People took them home, unloaded their shopping and didn’t feel much like bringing them back so they left them on the street. To create an incentive to bring back the shopping carts the supermarkets introduced a system where you had to unlock the cart with a coin of at least one guilder (roughly half a euro). It might seem like a small amount but this system worked pretty good actually (probably also a result of Dutch people being very mean with their money!)
Although it worked, it wasn’t very user friendly. It wasn’t so much a problem in the beginning, but as paying with PIN became more popular, people carried less and less coins with them. And this posed a problem because they needed coins to pick a shopping cart.
The first solution was to allow these people to pay for a coin with pin. An effective solution, but not ideal. At least, not for the supermarkets. The service counter with the PIN machine is also the place where people queue to buy things like tobacco, mobile phone top-up cards, etc. They must have reasoned that too big a queue cost them money in terms of sales. The next improvement was to create metal non-monetary coins (sometimes with the logo of the supermarket) that you could request to a service employee. At this point, the incentive of loosing money was lost, but you still had to queue for it at the service counter and talk to the employee. Now, instead of money you had to put some effort into it. These coins must have been too expensive to make though, because after a while another improvement was made: they were replaced with plastic ones.
The people in charge of user experience still must have been unhappy though. Customers that came to do their shopping without a euro coin in their pocket had to queue at the service counter if they wanted a shopping cart. And since these plastic coins almost didn’t cost any money: why not simply put a jar on the counter where people could pick them freely without having to wait? That is, of course, much more user friendly!
Seeing that jar there on the counter made me chuckle. It’s an excellent non-technical example of what often happens in the online world. A security measure was taken and the subsequent steps to improve the user experience have peeled off that measure layer by layer until pretty much nothing is left.