Abstract:
In the security community, we've always recognized that our security proposals come with certain costs in terms of usability. Traditionally, that's the compromise we make to get security. But the market has ruled against us. Time and time again, our fielded secure systems are ignored, bypassed, turned off, or constrained to such a small part of the process that the security result is practically nonexistent. Even worse for our mental self-satisfaction, those systems that claim to deliver security to users simply don't pass muster--they're not what we'd like to think of as secure systems.