Everyone reading this has probably heard that old rule of thumb that security and convenience are inversely proportional. In other words, increasing security comes with the cost of less convenience, while making things easier to use also means less security. This isn’t just in the context of computing, by the way. An unlocked door is easier to use (more convenient) than one that is locked (more secure). A door that you can unlock with a key is easier to use (but less secure) than a door that requires both a key and a keypad code, etc.
In the context of end-user computing, we all see this trade-off daily. Longer passwords are seen as more secure than shorter ones, but they’re also harder to remember and type. Six-digit phone PINs are more secure but less convenient than four-digit ones. Multifactor authentication leveraging both a password and one-time code is more secure than just a password but annoying every time we have to switch over to the authenticator app to get that code. Requiring a PIN to unlock the authenticator app is more secure than not, but with the expense of additional steps and user annoyance.
There’s never really been any kind of standard for how this should all work and what should be used where. Different companies, policies, regulations, governance, organizational cultures, and sales rep effectiveness drive most of it, and things are different everywhere. What’s been historically consistent is that more security has correlated to more hassle for the users.
Finding the balance between security and convenience has always been about tradeoffs. I’ve always thought of the “security versus convenience” model as a sliding scale, like the one below. You can draw a vertical line anywhere you want in the diagram below to get a certain level of security for a certain level of convenience, and increasing one decreases the other, and vice versa.
Host: Andy Whiteside
Co-host: Erik Collett