How UI can degrade your security and make your users mad at you
Eitan Caspi
An Information Security leader and expert, for more than 25 years, living by the motto of ever improving. *** Open to relocation *** (expressed views are my own and not of my employer or clients)
About an hour ago I posted the following complaining post, and few minutes after I posted it, I removed it. Please read it, so you will understand the base for my turnaround and then new claim, follows:
"
Someone sent me now a Box link for me to share sensitive files with him.
I used the link to create my user profile there.
As usual, first things first, I went to enable 2FA.
But nope, no such option for me. I was asked to upgrade my user to a paid plan in order to get it... (or the person who sent the link to me should do so)
Looking Box's pricing plans, only the 3rd level paying plan, the "Enterprise" plan, enables 2FA for external users... ($35 per user/month paid annually, minimum of 3 users)
https://lnkd.in/dC2sHHgU
While I can understand the costs of sending SMS messages for 2FA as a reason for the above, I guess using email and app-based 2FA should not be too costly.
领英推荐
Demanding more money to activate what is considered today a very basic security measure - will not help Box gain popularity as a secure service, and possibly even push customers away to similar services who gives 2FA as an obviously free feature.
"
So, what has happened here?
In the above scenario, I logged into Box, went to the "Account Settings" section, and there, naturally, selected the "Security" sub-section, when I found the above offer to upgrade to get 2FA, and no 2FA feature shown in this sub-section. So, my conclusion was that I need to pay for 2FA, so I posted the above.
After posting the above, I went back to the "Account Settings" section, to tweak other stuff, and there, in the "Account" sub-section, what did I find?... you guessed it - the ability to enable 2FA (plus the ability to change password...), which course I enabled.
Wouldn't you expect that the features of "Change Password" and 2FA will be under the "Security" sub-section? seems logical, isn't it?
So, folks, this is my story of how UI decisions can drive your users not to enable basic security features and also be mad at you (for no good security reason, but for a good bad UI reason).
CEO and security engineer
6 个月???? ??? ?? ?? ?????? ??????? ??? ???? ???? ????? ???? ?????? ???: https://chat.whatsapp.com/HWWA9nLQYhW9DH97x227hJ