Psychological Acceptability 35 Years Later
27 April 2011Over 35 years have passed since Jerome Saltzer and Michael Shroeder published their seminal paper The Protection of Information in Computer Systems but it still holds many truths applicable to this day. The paper presents a number of "Design Principles" that should govern secure systems. One of the most insightful of those is 3h, or "psychological acceptability." The principle of psychological acceptability states that user interface should be crafted for ease as well as overlay user expectations. This basically means that security should not obstruct a user and interfaces for security should match a user's comprehension of security. Asking a user to complete complex security requirements that have no discernible relationship to the users perception of security requirements is a recipe for failure. This principle plays out in the design of many users systems, but is blatantly obvious in the implementation of most authentication systems. Authentication is the means by which a user is accurately identified. The most common example is a username and password pair but other common schemes include biometrics or smart cards. The authentication system is the linchpin of many security designs and is used to tell who (or what) is using the system. Once authentication is established the system can appropriately determine authorization level (putting 'who' together with 'what'). Unfortunately many authentication systems begin with a self provisioned account. During this process a potential user selects a username and password. Often times the rules for the acceptability of a selection are vauge and only become clear after the user has made a choice. In a typical example a user is presented with a form that contains a username field and two password fields. The user carefully selects a user name and a password. The user then clicks some sort of submit button and waits for a bit and gets a new screen telling them their username is taken or that their password does not meet some sort of complexity requirements. This forces the user to come up with a new account and password and defeats the security design in a number of ways. By forcing the user to make another selection the system confuses authentication credentials in a users mind. They may have chosen an easily remembered password for the site and now must pick another, which could cause confusion in recollecting which password was used for account provisioning. By forcing the user to pick an alternative username a similar situation occurs, where a user thinks their account uses their initially selected username. These sorts of confusing circumstances push up support costs and increase the likelihood of a user choosing poor credentials. If a user is forced to comply with complexity rules after choosing a password they are likely just to postpend a number or special character (usually a '1' and some punctuation) at the end of their previously chosen password. Given this situation what can be done to alleviate confusion and move the process more in line with the users expectations? Considering the users' expectations before design commences is important to this process. A user who encounters an account provisioning screen expects to choose a username, select a password, submit the data and continue their interaction with the site. The closer an application could conform to these expectations the better it adheres to the principle of psychological acceptability. Users who have to interrupt their practice in order to conform to security restrictions will see security as an impediment rather than a service. Alerting users to requirements early and easily will serve to enhance their experience, and benefit the application security as a whole. In web applications this likely means using AJAX technologies to provide immediate user feedback without forcing the user to wait for page refreshes. Of course, this type of AJAX interaction would have to be done carefully to avoid introducing information disclosure or other security vulnerabilities. Client side scripts could also be employed to warn users about password security complexity rules violations while users were choosing their password. By providing easy ways for users to conform to security policies during the account provisioning process an application can mesh easily with user expectations, advancing the psychological acceptability principle. Making it easy for users to be secure ensures maximum compliance and strengthens the system. System responses that appear to strong arm users into compliance will inevitably meet with resistance and degrade system security regardless of the strength of the policies.