Determining the fine line between security and usability is a hard task for everybody involved in IT security, from software developers to network administrators. The lack of balance between these two items is one of the main reasons that can make a security system fail. Here are a few examples:
Passwords are the most common authentication method. They are so popular that everyone – or at least all network administrators – should know how to use them effectively. However there are still many cases where users have passwords that are either easy to guess or they simply write their passwords on a piece of paper that is placed on the desk and therefore available to anybody who passes by.
Why is this happening? Usually it is either because the security policies do not enforce enough security or because they enforce too much security.
When there are no constraints on the complexity of passwords, users will generally set simple and easy to remember passwords and they will never change them. The usability of the system in such cases is good: users will not have problems to access the system because they forgot their password. However, these easy to remember passwords (usually) mean that they are also vulnerable to password guessing attacks.
On the other hand if people are forced to set extremely complex passwords, a different set of problems will arise with the same effect: the security system can be easily bypassed. If passwords cannot be remembered most users will either write them down or, of course, forget them. This is not a good thing. If passwords are written down, some users will stick the paper on a side of the monitor or put it under the keyboard. If passwords are forgotten then users will often spend time calling support or using the “Forgot your password” service. It is not difficult to find people that are annoyed by extreme security measures. And in case of services provided online this can lead customers to consider alternative services that are easier to use.
Windows UAC is probably the best example of how difficult is to keep the equilibrium, even for big and experienced players like Microsoft.
Windows XP does not have UAC and it is an excellent operating system from a usability point of view. This is the reason why it is still so widely used. However over the time it had important security problems.
A key factor that generated a large part of security issues in Windows XP is the over use of administrator accounts. Software developers used to assume that users have access everywhere and design their applications accordingly. Users were using administrator accounts even for trivial tasks and this was partially because lot of applications did not work otherwise. Malicious software benefited a lot from this situation. Because users were administrators, malware code was able to infect core system files causing significant, and sometimes irreversible, damage.
Microsoft realized that they had to change something and the result was Windows Vista, an operating system designed with security in mind. User Account Control (UAC) is one of the new security components that were introduced in Vista and it is a set of features that allow users to perform common tasks as non administrators.
How does it work? Basically all accounts, even administrators’, are running by default with privileges of standard users. Each time an operation that requires administrative privileges is to be executed, the user is prompted – via a secure desktop – to confirm that he is aware and wants to continue the operation. Clicking yes, or providing administrator credentials in cases where a standard user is logged on, will elevate the privileges to administrator and the operation will execute successfully. However the privileges are elevated for that program only. Each application that performs operations which require elevation will generate at least one UAC prompt.
This approach started to make users more aware about the changes performed in their system. Another effect is that most users got annoyed by the large amount of UAC prompts, thus forcing developers to fix their applications so that they will run without unnecessarily asking for administrator privileges.
While Windows Vista UAC is great from a security point of view, regarding usability it is enough to say that the first result when searching on Google using “Windows Vista UAC” is a page with the title “Disable User Account Control in Windows Vista”.
Will Windows 7 ship with an updated UAC to finally get the right balance? It seems so; however, the path is not so straight forward.
The feedback received from customers on Windows Vista UAC was processed by Microsoft and Windows 7 BETA was released with an updated version of UAC. The updates were to improve usability by reducing the number of UAC prompts. Although Windows 7 UAC can be configured to behave like Windows Vista, the default state allows Windows components to auto-elevate without prompting the user.
At first sight this solution seemed to be perfect. Huge usability improvement – the number of annoying UAC prompts reduced – while making no major compromises regarding security. Unfortunately the right balance was still not there yet. An important security flaw was discovered: through auto-elevation it was possible to disable UAC without having the user notified. Microsoft’s initial reaction to this was a bit strange for a security community. They said that the behavior was like that by design and it would not be changed. Finally Microsoft admitted that it was an issue that must be fixed and in Windows 7 Release Candidate (RC) – which is currently available – changing UAC level gets special treatment and it always prompts you if you choose to disable it.
Did Microsoft finally get it right? Time will tell. The fight is not over yet. There are still people complaining about asking non qualified people to take important decisions about security, even with the reduced level of prompts from Windows 7. And there are voices that say security should not be compromised and Windows Vista UAC is better.
Nevertheless the examples above are not isolated cases. There are plenty of other similar situations. I know people whose machines got infected even with an antivirus solution installed and up to date, just because the real time monitoring component was turned off. Why it was turned off? It was slowing down the computer…
Security applications and security policies should be designed to interfere minimally with the normal working flow of the user. If they are too intrusive people tend to bypass them and the systems will fail to achieve their main goal: enforcing security.