I realise that we're saying pretty much the same thing, but the design process should be like this:
1. Make the application secure enough so that the cost to a malicious user of cracking the security is greater than the potential value of doing so.
2. Given the constraints of #1, provide the best possible user experience.
I realise that we're saying pretty much the same thing, but the design process should be like this:
1. Make the application secure enough so that the cost to a malicious user of cracking the security is greater than the potential value of doing so.
2. Given the constraints of #1, provide the best possible user experience.