User Interaction Design for Secure Systems

The security of any system that is configured or operated by human beings depends on the information conveyed by the user interface, the decisions of the users, and the interpretation of their actions. This work establishes some starting points for reasoning about security from a user-centered perspective: it proposes to model systems in terms of actors and actions, and introduces the concept of the subjective actor-ability state. Ten principles for secure interaction design are identified; examples of real-world problems illustrate and justify the principles.

The results of this work come from discussing design challenges and user experiences at length with designers and users of software intended to be secure. After much debate and several iterations of refinement, we have formed the following set of design principles:

1. Path of least resistance: the most natural way to do any task should also be the most secure way.
2. Appropriate boundaries: the interface should expose, and the system should enforce, distinctions between objects and between actions along boundaries that matter to the user.
3. Explicit authorization: a user's authorities must only be provided to other actors as a result of an explicit user action that is understood to imply granting.
4. Visibility: the interface should allow the user to easily review any active actors and authority relationships that would affect security-relevant decisions.
5. Revocability: the interface should allow the user to easily revoke authorities that the user has granted, wherever revocation is possible.
6. Expected ability: the interface must not give the user the impression that it is possible to do something that cannot actually be done.
7. Trusted path: the interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf.
8. Identifiability: the interface should enforce that distinct objects and distinct actions have unspoofably identifiable and distinguishable representations.
9. Expressiveness: the interface should provide enough expressive power to (a) describe a safe security policy without undue diffiulty and (b) allow users to express security policies in terms that fit their goals.
10. Clarity: the effect of any security-relevant action must be clearly apparent to the user before the action is taken.