The security industry has spent decades publishing advice that is technically correct and almost universally ignored. The reason isn’t user laziness. It’s that secure behaviors impose a real, ongoing tax on daily life โ extra clicks, extra time, extra friction โ and that tax compounds across hundreds of interactions a day. Convenience and security pull in opposite directions, and convenience wins by default unless the design forces otherwise.
Every security recommendation has a UX cost
Use a unique 16-character password for every account. Enable two-factor authentication everywhere. Don’t reuse credentials. Verify before clicking. Read terms of service. Encrypt your messages. Each of these is good advice, and each one extracts a small but real cost from the user every time it’s followed. Multiply across the dozens or hundreds of digital interactions in a typical day, and the cumulative friction is genuinely large. Security advice that ignores this math is advice nobody actually follows for long.
The path of least resistance always wins eventually
Behavioral economics has been clear on this for decades: users gravitate toward whatever is easiest, even when they understand the cost. Password reuse is rampant not because users don’t know better but because remembering 100 unique passwords without help is functionally impossible. Single-sign-on through Google or Apple gets adopted because it removes the friction. Saved card information gets used because re-typing the number every time is annoying. Each individual convenience makes sense; the aggregate effect is a system held together by trust assumptions that any motivated attacker can exploit.
Good security designs hide the friction
The most effective security systems aren’t the ones with the strongest theoretical guarantees โ they’re the ones that remove the user’s incentive to bypass them. Password managers fix the unique-password problem because remembering one master password is feasible. Hardware-key two-factor authentication beats SMS-based 2FA partly because the friction is lower (tap a key versus type a code). Passkeys, when implemented well, beat passwords because they’re easier and stronger. The pattern is consistent: security wins when it stops being a separate tax.
What this means for individuals
The realistic individual playbook isn’t to follow every piece of security advice ever published. It’s to identify the small number of interventions that have low ongoing friction and outsized protective value, and adopt those completely. A password manager. Two-factor authentication on the small handful of accounts that matter most (email, financial, primary identity providers). A credit freeze. A bookmark for the URLs of services that get phished frequently. A habit of slowing down on requests that create urgency. That’s roughly the kit. Beyond that, returns diminish quickly.
The bottom line
Security advice that ignores the convenience tax is the advice everyone abandons by week three. Security advice that minimizes ongoing friction is the advice that actually persists in real lives. Designing for the second category โ for yourself or for users you’re responsible for โ is the only realistic path to actually better defaults.
Leave a Reply