Asking users questions never increases security

December 3, 2010

Here is something that I've more or less written about before, but I want to reinforce by saying explicitly:

Asking users questions never increases security.

Never ever. Really.

(See SecurityChoiceProblem for a discussion of why.)

What this means is simple. Every time you design a system where part of the design is 'if something questionable happens, we will ask the user if they approve it', assume that at least half of your users will make the wrong choice. Ask yourself what this does to the security of your system, and then ask yourself if the question is actually doing any good or if the real design purpose is so that you can say with a straight face 'we tried to solve this problem, but the stupid users are screwing it up; it's their fault, not ours'.

(This answer is wrong. Twice.)

Then delete the question and either make the system work anyways or give up, admit that you are not delivering perfect security, and figure out how to do the best you can despite this.

In reality, of course, it will not be just half of your users who answer the question wrong, because users do not answer mysterious questions by picking randomly. Instead they pick whichever choice it is that lets them do whatever they were in the process of doing. Users almost always want to do what they're trying to do, even when it is actually a mistake.

(Sometimes, if you are very lucky, you can catch the user's attention long enough to persuade them that they're making a mistake. But this is very difficult for good reasons.)

If you are firmly convinced that what the user is trying to do is a mistake, tell them so very strongly, and tell them why. I am almost tempted to say don't give them any way to overrule you, but that's too strong. What you shouldn't do is present them with a yes/no question or some other dialog that implies that the two options are equally likely, because you've already decided that they aren't. 'Go on anyways' should be tucked away in tiny print, not given equal billing with 'get me out of here'.

(If you can't be almost certain that the user is making a mistake, see above. Find some way to not ask the question at all.)

(I've written about this issue before in SecurityChoiceProblem, but there I was more focused on configuration and setup questions instead of questions that you want to ask the user on the fly during normal operation.)

Written on 03 December 2010.
« Why https was a mistake, but an inevitable one
A log message format mistake that I've made »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Dec 3 23:59:04 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.