Security vs UX: Why UX is an important factor in designing secure systems

•

•

•

•

• BakerHostetler: Privacy and Data protection report in 2014• Ponemon: the new leading cause of data breach report 2015• CompTIA: Survey of hundreds of US companies 2015

All these research studies had the same conclusions.

Yes, 9 characters. ISM new requirements.

2 in 1: A sticky note + a weak password.

Remote Second Factor Auth (R2FA)!

Lets be professional and call him a UX factor!

Feel

Usability

Look

Confidentiality

Integrity

Availability

Feel

Usability

Look

Confidentiality

Integrity

Availability

More on these later.

Don’t ask how tall you are!

Many don’t have a middle name!

It must be easier that remembering a password.

Don’t prompt the same question.

This shows an empty space. There are no more pros.

* http://research.google.com/pubs/pub43783.html

Good UX point.

e.g. SecureRandom class

At the time of writing.

•

This shows an empty space. There are no more pros.

So, reduce the attack window with time limitation.

You increase chance of successful Social Engineering attacks.

This is perhaps the best use-case.

Good UX point.

Banks, please don’t use it

$20,000 Phone porting scamJune 2015

Banks, please don’t use it

At the time of writing.

Check References slide.

6.4% adoption of Google 2FA*http://users.ics.forth.gr/~elathan/papers/eurosec15.pdf

This could be your weakest link.More on this later.

Google educate user on 2FA.

A bad way of educating by LinkedIn.

List emails that user should expect from you.

Include also a sample email and type of things being requested in the email.

Facebook tells users what emails not to expect.

Good example by Amazon: “Don’t ask for code on this device”

Good example by Google: Simple and clear what action to take

•

•

•

•

•

•

secure

•

•

•

•

•