Human-Centered SecurityThreat Modeling for UX Designers with Adam Shostack on Heidi Trost's podcast
Heidi Trost is a user researcher and strategist, who's writing a book about improving the UX of security. She was kind enough to have me on her podcast, Human-Centered Security. We hurt ourselves and the people who use our software when we make it hard-to-use, and I really enjoyed the conversation. It's a tremendously important topic, and I'm really looking forward to her book.
One of the themes of the interview was how usability people should engage with security, and usability has so much to offer even if the usability folks know nothing about security. I was browsing Mastodon, and a poll I ran there. The poll was inspired by a post that “only” 17% of users on the infosec.exchange Mastodon instance were using MFA. I asked why, and the reason that came back in the comments was: usability, and especially discoverability:
- ”Not shown here is "I didn't know it was available" which was the reason I would've given before I enabled it”
- ”Must have missed it”
- ”Didn't know I could”
- ”Never got a prompt”
- ”actually I just don’t want to set it up on mobile and keep forgetting it when I’m at my desk”
These are not subtle points — they are lack of awareness because the onboarding and account setup features don't make setting up 2FA part of the default path, or even a prompt of “would you like to...?” This is not a criticism per se. Perhaps the decision was made to focus on the number of steps to get a person setup and using the software. Maybe it’s something else? But we need partnership between security and usability to make things like this better.