Cybersecurity In-Depth

The Edge

Friction Affliction: How to Balance Security With User Experience

There's a fine line between protecting against suspicious, malicious, or unwanted activity and making users jump through hoops to prove themselves.

As "defenders," security professionals are laser-focused on protecting our organizations from the ongoing risks and threats they constantly face.

But sometimes this comes at the expense of something incredibly important: user experience. Why is this so important? For one, when confronted with untenable restrictions and difficult processes, people tend to find ways to work around that friction – which worsens the organization’s security posture.

Increased friction also results in user frustration and the tendency to give up more quickly. For an online business, for example, this might result in fewer purchases, lowering its revenue and profit.

While we never want to compromise the security posture of the organizations we defend, we can often improve usability – i.e., reduce user friction – without increasing risk. Here are a few suggestions.

Recognize Known Good Users
It's no secret that passwords do not, in and of themselves, provide an adequate level of security. Enter multifactor authentication (MFA), which challenges users to prove who they are via several authentication steps. MFA is sometimes required by regulation or policy, but also to increase account security at login and other important times.

If, on the other hand, we recognize a user, why should we trouble them to prove who they are? Reliably recognizing known good users makes it easier to recognize unknown or malicious users. This helps us focus on what we’re supposed to be focused on when it comes to authentication, rather than rigid, draconian rules and policies that merely inconvenience legitimate, paying customers.

Recognize the Clues Legitimate Users Leave Behind
One way we can recognize known legitimate users is by paying attention to the clues they give us and leveraging technologies, such as fraud prevention and adaptive authentication tech, that allow us to act on those clues. We can bucket these clues into three main categories: the data associated with a device, the data associated with the user's environment, and the data associated with how that person behaves and interacts with our site.

As we begin to collect and analyze data from a large number of users coming from a variety of devices and environments with differing behavioral profiles, we begin to learn a lot about expected patterns of behavior and departures from those patterns. When a user is behaving as we would expect a legitimate user to, we can dial back on challenging them, thus providing them a smoother online experience.

Recognize the Clues Cyberattackers and Fraudsters Leave Behind
Just as legitimate users leave clues, so do cybercriminals. If we’ve done a good job learning how legitimate users usually behave, we can leverage that knowledge to understand how attackers and fraudsters typically behave. This helps us block and/or challenge their sessions and transactions, ultimately saving money by reducing the organization's loss to fraud. In other words, whereas we want to reduce friction for legitimate users, we want to drastically increase friction for attackers and fraudsters – we don’t want to let them operate within our applications.

Security teams often get an unfair rap as the “department of no.” But part of managing risk often means turning down or modifying proposals that introduce too much of it into the organization. Implementing a safe and effective means to reduce friction without adversely affecting security and increasing risk is the key to increasing customer satisfaction, the organization's bottom line, and confidence in the security team.