Why Security and Usability are in Constant Conflict
CybersecurityUsabilityUX

Why Security and Usability are in Constant Conflict

Thisak Gunasekara

Thisak Gunasekara

Editorial Member at SLIIT Mozilla

November 30, 20256 min read

You’ve likely encountered it: in the final step of signing up or logging in, a grid of blurry photos is demanding your attention. “To prove you are human, select all the squares with traffic lights.”

What follows is rarely quick and easy. One picture is too harsh to tell. The other leaves you squinting, “Is that a pole or something else?”; the wrong choice keeps reloading the puzzle, adding to the frustration.

This is security vs. usability in a nutshell. The idea is simple: to keep threats out. But in practice it often slows down real users from what they’re trying to get done in that application, making the protection feel heavier than the benefit.

Security and usability have always been a balancing act. The more you strengthen one, the more you take a chance at weakening the other.

  • Better security usually implies more steps and more rules, or simply, more friction.
  • Better usability usually means convenience, speed, and simplicity. But this often provides opportunities for attackers.

Think about the day-to-day interactions that you have with technology. How often do you find yourself in scenarios where security feels more like a hurdle than a safety mechanism? The frustration when having to type a 15-character password with symbols, uppercase and lowercase letters, and numbers on a tiny keyboard? the annoyance of having to enter multiple verification codes just to pay and confirm a single order? These are design choices where one side of the scale was favored over the other.

Why Security Often Wins

From the perspective of an organization or a company, security gets the highest priority. Whether it is a data breach, an account takeover, a Denial-of-Service (DoS) attack, or a fraudulent transaction, it can cost millions and destroy customer trust overnight. This far outweighs a couple minutes of user frustration.

  • A bank would rather pressure you into getting Multi-Factor Authentication (MFA) than have an attacker take everything from your account.
  • A company would rather enforce strict password policies and hold sessions to educate the employees than risk employees having the most attemptable passwords.

For the organization, security failures can be catastrophic, whilst usability failures are “just” irritating and amendable. So when the two clash, the scales tip towards security.

But there’s a catch: if users find the system to be too difficult or frustrating, they start to find workarounds and attempt to cut corners to manage. Passwords are written down on notebooks and sticky notes, browser privacy features are disabled so the site loads faster, and passwords are reused across different platforms so they’re easier to remember. And now, the security that was meant for their protection becomes weaker rather than stronger.

Why Usability Still Matters

Security is only effective if users actually follow it. A system that is perfectly secure that nobody wants to use is, well, effectively insecure.

One of the most common and efficient ways to secure a system is by using passwords. Almost everyone knows the rules for creating a password: it should be long, complex, and unique for each and every account. But in reality, people cut corners because creating and remembering dozens of passwords is hard work.

That’s how products like password managers, biometric security, and Single Sign-On (SSO) systems have come into play and are gaining popularity. These help to reduce the friction while managing security and sometimes even in improving security.

If we put it another way, these products bring security and usability closer together instead of having to choose one over the other.

Instead of entering a verification code every time you log in after implementing Multi-Factor Authentication (MFA), why not do the same verification via fingerprint? Much easier to implement, with the same level of protection and far less struggle.

The more intuitive security becomes, the more naturally people embrace it.

Everyday Examples of the Struggle

  • Workplace Logins: Some companies lock computers after 60 seconds of inactivity. It prevents shoulder surfing, but it annoys employees when they step away for something else and return to a locked screen. Because of that people disable auto-locks or share their login details to save time.
  • E-commerce Checkouts: Adding multiple authentication steps at checkout prevents fraud. But it also increases cart abandonment where customers who give up mid-purchase because the process feels too slow or complicated.
  • Wi-Fi Passwords: A guest at your house asks for the Wi-Fi. Your router-generated password looks like Xh72!qR8zL*9. Great for security, but terrible usability. So most people change it to something like johnhome123. Now easily usable, but much weaker.

In each case, we can see that the intentions are good, but the outcomes show just how hard it is to get the balance right.

Striking the Right Balance

So what can we do to solve this age-old issue?

  1. Designing security around people, not just systems. Security measures that are implemented should match how people actually behave, not how we wish users behaved. Security policies that are too strict tend to increase the chances of users breaking them.
  2. Clarity, not complexity. The best security mechanisms feel like they aren’t even there. They work efficiently without demanding much from the user.
  3. Allow for user choice wherever possible. Some individuals might prefer more security measures over others. Some might prefer speed and convenience over security. Whatever the case, allowing flexible settings helps both parties bridge the gap between security and usability.
  4. Educating without complicating. Users don’t need to know any details on how 2FA works, but they do need to know why it matters and how it helps in protecting them. Simple and direct explanations can go a long way.

Best Practices for Balancing Security & Usability

Since security and usability are in a constant tug-of-war, the goal is to make them work together. Listed below are some practical actions that can help in achieving that:

  • Adaptive Security. Instead of requiring extra verification for everyday actions, that step can be modified so it only triggers when there’s any unusual activity happening in the system. Thus the day-to-day actions run smoothly, while out-of-the-ordinary behavior gets flagged.
  • Invisible Verification. Modern systems are equipped with security measures to verify if the system user is a legitimate user or not by checking mouse movements, typing patterns, and even device behavior. Now security operates without interrupting the user.
  • Reducing friction for real users. When an instance for verification is needed, make sure it is fast and intuitive. Password-less logins, one-tap approvals, and biometrics aid in these situations by maintaining strong protections while keeping the users moving. The user should feel that these security measures are helping hands and not hurdles.
  • Always keeping accessibility in mind. Not all users interact with technology the same way. For example, visual CAPTCHAs can be quite problematic for users with visual impairments, so providing alternatives such as audio CAPTCHAs or token-based methods is an excellent way to make security usable for everyone.
  • Continuous monitoring instead of single barriers. Security isn’t a one-time challenge. Monitoring user behavior over time allows systems to find anomalies without forcing constant interruptions to the user.

Why This Battle Will Never End

The tension between security and usability will not go away anytime soon, and with technology constantly evolving, it’s only getting more intense. AI-powered attacks push companies and organizations to enforce stronger defenses while users demand ever-smoother experiences.

The goal is smarter, creative design where security is integrated into systems so effectively that users will barely even notice it. Until then, CAPTCHA gauntlets, complex passwords, and way too many login prompts are the way to go.

Security and usability are not opposites. They shape technology together and because of that neither can succeed without the other.

So, the next time a login prompt or a CAPTCHA gauntlet pops up on your screen, remember that it’s not bad design but the frontline of a much bigger battlespace.

Security vs. usability is not just a technological issue, but also a human one.

Resources to Explore

  • What is a DDoS Attack?
  • CISA: DDoS Attack Response Guide
  • Red Hat: Security Design Principles and Threat Modelling
  • 7 Principles of Secure Design in Software Development
  • Why is UX security Important?
  • Balancing User Experience and Security