I want to ask this question to all the security professionals, What is more important between security and user experience?
I have been working in a security domain for almost 15 years and I have noticed one thing that people keep emphasizing to the security and completely neglect the user experience part, but I think that security and user experience are two sides of the same coin. They are different but cannot be neglected. Both should be given the equal importance. Let me try to explain the same with following simple example:
Example:
Note: This example is just to explain the point and I understand that we are in 2022 and passwords are considered as the weakest solution in Cybersecurity today. 😊
Suppose we have 5 applications and we want to implement authentication solution for all these apps. To improve the security posture, what if we define below password policy:
- Minimum Password Length = 15
- Minimum Numbers = 2
- Minimum Uppercase Characters = 2
- Minimum Lowercase Characters = 2
- Minimum Special Characters = 2
- No consecutive numbers or alphabets are allowed
- Last n password cannot be used = 25
- Password Expiry= 15 days or 30 days
- Applications cannot share passwords
- Passwords cannot have user attributes like first name, last name, userid, email etc.
- Passwords cannot have dictionary words – Custom Dictionary
This password policy will enforce users to come-up with a complex and unique password for each application every 15 days or 30 days.
From security point of you it may be good because each application will have its own unique password but is it easy for an end user to remember such complex passwords? Even for one time, users can remember but is it possible for users to come up with new passwords every 15 days or 30 days for each application.
Answer is No, so What’s wrong in this solution?
In this solution we completely ignored the user experience and providing very poor user experience to our customers. If we implement this kind of password policy, end users will end up writing the password in a notebook, in a notepad in laptop or in sticky notes which will impact our same security posture which we wanted to improve. Final outcome is poor security.
Being a security professional, we keep our entire focus on security and less on user experience, but I think it’s our responsibility to come-up with a solution which is not only secured but also provide a better user experience to our customers so that our aim to improve security posture remains intact. We cannot have a ratio of 60-40 between security and user experience, it must be a 50-50 which means we need to start giving equal importance to user experience which we give to security. Only by doing this, we would be able to improve the security posture of the organization in real.
Again, these are just my thoughts.
Disclaimer