3F/ Usability for Identity Management

From IIW

Usability for Identity Management


Thursday3F

Convener: Kent Seamons

Notes-taker(s): Tyler Ruff


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Usability and Identity Management notes


Kent works in "Usable Security Research". A systems person who's gotten to do more human centric applications. 

Attackers often focus on the users. SEcurity is not the primary taks but is a sendary concern. Draws upon security, HCI, social services

Security must be convenient or users will bypass it. "The more you make something, the less secure it becomes". 

As security experts we can fail to design usable systems

IF it's usable and secure it's elegant


How can we measure usability? There's both qualitative and quantitative approaches. What are the risks to the users? 

There's a congintive walkthrough. Think of a code review, but you walk through a scenario/use case step by step. Is this the persona approach? Could be. 

Developers ask themselves what are the users going to do next? They go through screen by screen. Need to go talk to users, not just 'step into their shoes'. Need to step back and ask yourself: Would any user want to use this? 


Look at the "SUS questions" list of 10 Q's. They are the result of analyzing thousands of questions. You answer them on a 5 point scale. Agree/disagree. 

Also look at the System Usability Scale (Brooke 1996) Top 15% of tools score well, but shouldn't be interpreted like any old college test. 


Usability for secure email (example study of usability). BYU conducted studies with students and asked them to use various pgp tools and most tools utterly failed. 1 or 2 scored well.

They've found that you can compare existing work out there and seeing how much better these systems score if you take a different usability approach. 


If you don't train users, what do they think of? 

You have to trust Signal because they control everything about the system. That is not a good model for long term security. Doesn't matter how secure a system is if no one will use it. The inverse is you have the appearance of safety/security but it's really not. 

Signal is an improvement over SMS absolutely but it's not the end all best solution. There is an unavoidble conflict between functionality, usability and security. It's a slider, where on one end is funcionality and the other is security. People only use the functional applications. 


People won't trust the perception of a single vendor which they need to trust. I


IF a UX person was in this meeting he'd say: You can't change user behavior. That's a no no. Also if you're teaching users you're dead already. But users today don't have good behavior and don't have a good understanding of security practices. 


We have a very different mental model than the end user. We need a good UX guy to meld the two mental models: security focused and usability focused. 


Users actually make pretty good decisions & risk analysis based on what they know. They just don't know very much. 


Lessons learned: 

-Hiding too many details results in a lack of trust

-Useres are concerend about the permanence of information

-Comparing separate systems has too many confounding factors

-Need careful A/B testing to understand _______ crap he changed the slide.... -____-