Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The basic issue with Security is that it is almost always in contention with Usability.

It's easy to look at something with security blinkers and go "eeks - you n00bs!" but it's ridiculously difficult to put in place any measures without immediately reducing the usability of your solution.




Absolutely not. That's only the case when you have nearly optimal usability and nearly optimal security. Then you are on a Pareto optimality frontier.

However, I almost never encounter such systems; usually they fall short on both counts.

Consider: How much usability do you lose to close a cross-site scripting attack? How much usability do you lose to close an SQL injection? How much usability do you lose to close a buffer overflow?

Now, how many security vulnerabilities fall into one of those three categories? Probably more than 90%.

Until you close off the obvious, huge attacks, there's little point adopting two-factor authentication.

Coming at it from the opposite point of view, how much usability do you lose from adopting two-factor authentication on top of a secure system? That can greatly add to a system's security, but you pay the price ("enter a number from this fob") once per login, hardly something to cry about.

Only once your system is very secure and very usable do you actually, truly get into tradeoffs between security and usability. But there's nothing special about security and usability here that bears any special attention... when you've optimized sufficiently any two interests start being in opposition to each other!

I mention this because the same fallacy that leads people to think that security stands in opposition to usability leads people to misinterpret decreases in usability as security increases. Like my bank, which uses "two-factor authentication" (note the scare quotes) consisting of a password and the answering of one of three questions that would normally be used to recover passwords... in other words, first it asks me for a password, then it asks me for a password. Two-factor my ass. But it is mistaken for security because it lowers usability.


>How much usability do you lose to close a cross-site scripting attack? How much usability do you lose to close an SQL injection? How much usability do you lose to close a buffer overflow?

None of course. But these aren't philosophical security factors (like the OP). They could actually be classified as "security bugs" or just "bugs".

>how much usability do you lose from adopting two-factor authentication on top of a secure system? That can greatly add to a system's security, but you pay the price ("enter a number from this fob") once per login, hardly something to cry about.

Considering normal users - a whole lot!!! If I put in a system like this, I would expect a whole load of problems.

Consider: Delivery of fob, recall of fobs, damaged to fobs, lost fobs, stolen fobs etc etc. Not to mention about 20% of users would just hate learning how to use it.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: