University of Nottingham research calls for simpler device security for users

New research suggests that technology companies should work together to make device security easier for users to understand and manage. While more user-friendly approaches such as biometrics and passkeys are now more common, many systems still require users to navigate complex and inconsistent security rules.

The study, published in the journal Computers & Security, was written by researchers from the University of Nottingham and the University of Plymouth. The authors have spent more than two decades examining password practices and authentication behaviour.

The researchers found that although progress has been made, many technology companies continue to rely on systems that place responsibility on users to understand different forms of authentication. They also argue that users are often given limited choice over which security methods best suit their personal needs.

As people own more devices that store sensitive personal information, the researchers note that the demand for secure and usable authentication methods has increased. However, users are frequently required to interact with multiple authentication methods, including passwords, PINs, tokens and biometrics, across a range of devices and services each day.

Professor Steven Furnell, Professor of Cyber Security at the University of Nottingham, said:
“The easier we make it for security to be used, without adding unnecessary friction, the greater the chances of it feeling acceptable and tolerable for users. If we authenticate over 100 times a day, then we don’t want this to seem like over 100 interruptions and delays. We want protection to be the natural default position, and offering users flexible and usable solutions is a clear step towards achieving this.”

According to the researchers, this fragmented approach increases mental effort for users and can create barriers for people with physical, cognitive or situational limitations. They argue that usability and security are too often treated as opposing aims rather than complementary ones.

Professor Nathan Clarke, Professor in Cyber Security and Digital Forensics at the University of Plymouth, said:
“Technology is now fundamental to every aspect of our daily lives. Each of us may need to authenticate something at least 100 times a day, whether that’s accessing our mobile phones, our computer devices or apps and software within them. What we now need is to reach a point where security measures become more technically complex, so our information is secure – but, from a user perspective, those measures need to be easier to understand and use. And we as users need to be given choices about what we want to do, rather than it being forced upon us.”

The authors also refer to earlier work in which they raised concerns about a lack of clear guidance from major technology companies on protecting personal data. They note that straightforward advice on password use can improve account security.

In their latest article, the researchers reviewed changes in authentication practices, identified ongoing challenges and examined whether current proposals address the balance between security and usability. They conclude that designers and service providers should better consider who their users are, what tasks they are performing and the level of assurance needed in different situations.

The study calls on technology providers to move away from uniform models and instead adopt more inclusive and consistent approaches. The researchers warn that without change, there is a risk of continuing to deploy systems that appear secure in theory but weaken trust and reliability in practice.

Image created by DALL-E