The instinct after every breach is to add another layer โ more passwords, more two-factor steps, more identity verifications, more email confirmations. Each one feels prudent. In aggregate, they often produce the opposite of what they’re meant to: tired users who route around the controls, write passwords on sticky notes, click through warnings without reading, and approve any prompt their phone shows them. Security that doesn’t account for human behavior isn’t security. It’s a checklist.
Forced complexity rules created weaker passwords
For two decades, the standard advice was upper case, lower case, numbers, symbols, and forced changes every 90 days. NIST quietly walked most of this back in updated guidance because the research kept showing the rules produced predictable patterns โ Password1!, Password2!, Password3! โ that attackers crack easily, while making memorization hard enough that users wrote passwords down or reused them everywhere. Long passphrases, checked against known-breached lists, are now the recommended approach. The complex-password era is a case study in security advice that prioritized looking rigorous over actually being effective.
Notification fatigue defeats two-factor and consent screens
Every push notification that asks “Did you just sign in?” trains users to tap “Yes” reflexively. Attackers exploit this with MFA bombing: spam the user with prompts at 3 a.m. until they approve one to make it stop. Browser permission prompts have a similar pattern โ users dismiss “this site wants to know your location” without reading because they see fifty of them a day. When every interaction is treated as security-critical, none of them are. Designers earn user attention by spending it sparingly on the genuinely important moments.
Friction pushes people to riskier alternatives
A corporate VPN that times out every 30 minutes nudges employees to email work files to personal Gmail. A document portal that requires four logins drives users to share screenshots in plain text chat. A password manager mandate without good tooling produces a shared spreadsheet of credentials. Every one of these workarounds is more dangerous than the original “insecure” behavior. Security teams measuring policy compliance often miss that the real risk migrated rather than disappeared.
Good security design respects user attention
The systems that are both secure and usable โ modern smartphone biometrics, hardware security keys, single sign-on done well โ share a property: they handle the cryptographic complexity invisibly and demand user attention only at moments that genuinely need it. They assume the user will not read a 12-line warning, and design around that assumption rather than against it. The goal isn’t to maximize friction; it’s to put the friction in the right places.
Bottom line
The right amount of security is the amount that real users actually follow. Piling on prompts, rotations, and warnings beyond that point doesn’t just inconvenience people โ it actively degrades the security posture by encouraging workarounds and dulling attention. If your users hate your security, attackers love it.
Leave a Reply