Security and Usability

by Uri Rivner on 6/20/2006

Terminal 4 at Heathrow was packed like a box of sardines... This was quite odd - normally this late in the evening the place is half-deserted, but now it was full of people looking utterly annoyed. Probably some heavy flight delays, I told myself and went to look at the Departures monitor, but it looked pretty normal.

It must be the check-in system, then. A computer glitch, or maybe a staff strike. But it wasn't either of these: when I had edged my way through the crowd to get to the check-in area, the desks were relatively free and I was quickly face-to-face with the friendly British Airways check-in clerk.

"A bit busy today, isn't it?" I asked, pointing at the human mass behind me.

"It's the new security procedures. Haven't you got our notice?" said the clerk.

Flashback...

My email box was flooded as usual - I'm still waiting for someone to invent an anti-email technology - and I scanned the inbox looking for those easy emails that I can quickly read and delete. Like this 'important message' email from British Airways, advising me that due to new security procedures at London Heathrow, I should arrive at the airport four hours prior to any flight I'm taking. Bah! Four hours. You've got to be kidding me. I dismissed the obviously hysterical recommendation, discarding the email and moving on to the next one.

Back at Heathrow...

Rrrrrright. So it wasn't flight delays, and it wasn't a computer glitch or a staff strike. It was a new security procedure. What kind of new security procedure can produce THIS?

I looked around me. It was completely mad. I didn't even know where the line started. The annoyed look on people's faces was beginning to change to sheer desperation. Some of the passengers were really edgy, and from time to time you could hear heated arguments with airport staff – a very rare thing in Britain. I noticed people in yellow jackets handing passengers nylon bags. What on earth were these for?

After about an hour of moving along a snail-paced human snake, I got the answer. The nylon bags were for laptops, which had to be removed from their cases. This is quite common in airports, but was never the practice in Heathrow. Half an hour later I finally got a glimpse of the security stations. The metal detectors were beeping constantly, and people were removing their belts and watches, and some – probably accustomed to US security measures – even took off their shoes. Not that any of it helped; the detectors' thresholds were set to such low levels, that they beeped nervously each and every time. The security staff themselves looked agitated, which didn't really help improve the situation.

Why am I telling you all of this?
Because I think it's a good example of the relationship between security and usability. In this case, the increase in airport security had an immediate, very visible impact on usability. This balance of security and usability is something financial institutions struggle with whenever implementing a new authentication system for their online service.

It's a bit different in the enterprise world. Not many people will quit their job because IT installed a new firewall that pops up all the time, driving them mad, or because their company migrated to a new VPN which is much less friendly than the old one. But consumers who want to access an online financial service have very low thresholds when it comes to usability. They want to be secure, but they don't want to be bothered with security. If they encounter something they don't like or understand, they'll call customer service or, to a lesser extent, switch to a more user-friendly site.

The security industry didn't really think about all of that until quite recently. For decades the industry has been looking at creative ways of making things more air-tight. We've been developing more secure authentication methods in order to counter a growing arsenal of threats.

But in the online consumer authentication market, usability is in many cases of greater importance than security. It's true that some people like to see changes in the bank's security procedures and will appreciate it if the financial institution handed them authentication devices or came up with another visible security measures. But other customers don't really care about all of that; they demand security from the bank, but all they really want is to access their account, pay bills and transfer money without any delay or additional challenge.

On the other hand, we have to protect these customers, even if they don't want to help us help themselves. So we need to do something, but it has to provide a good balance of security, usability and (obviously) cost – since in many cases we're talking about millions of customers.

One way to achieve such a balance emerged recently: it's called Risk Based Authentication... but more on that in my next post.

Cheers,

Uri