Secure or usable? Can it be both?

I couldn’t help but question the logic behind this security measure. Was this really the best way to protect my ability to pay a phone bill? What possible hacker, if they gained access to my email, would bother to log in and pay my bill for me? It seemed absurd. And then I realized: this is a perfect example of security measures that feel secure but are wildly disproportionate to the risk they are meant to address.

Understanding the Risk

When we think of security, especially in the context of online services, we often associate more layers of protection with more security. But does adding friction for the user always result in meaningful protection? In this case, the extra layer—a one-time code sent to my email—felt more like a nuisance than a safeguard.

Let’s think about it. If someone has hacked into my email, they can simply request another code and log in again. In that scenario, invalidating the code after two minutes doesn’t change anything. The damage would already be done. Conversely, if my email account is safe, then the code could sit in my inbox for days without putting my account at any risk. What exactly are we protecting here? My ability to pay my bill? Hardly the prize most hackers are after.

The key problem is that these measures often provide the appearance of security while doing little to address actual threats. What they really do is create an illusion of protection—an illusion that skilled hackers can easily see through. Meanwhile, regular users are left to jump through hoops that do little more than slow them down.

When Security Becomes Inconvenience

This example illustrates a common problem with digital security measures: they can easily become overbearing, leaving users frustrated without necessarily providing proportional protection. For sensitive accounts like online banking or confidential personal data, multifactor authentication makes perfect sense, even needed. It protects assets that, if compromised, would have serious consequences. But paying a phone bill? It hardly seems like the kind of activity that warrants all the efforts. A hacker isn't likely to go to the trouble of breaking into my e-mail just to help me clear my balance. And yet, I find myself locked out by a hyperactive security measure that seems to exist simply to give the illusion of security.

False Sense of Security

This is where the issue lies: the balance between real security and a false sense of it. When companies impose cumbersome processes like overly short-lived one-time codes or unnecessary logouts, they’re often creating what feels like security rather than addressing actual risks. Hackers are smart. They exploit real vulnerabilities, logical flaws, and gaps in our systems, not over-the-top protective measures designed to frustrate ordinary users.

Proportional Security: Getting It Right

The goal of security should always be about risk management: the protection measures you put in place must be proportional to the risks they’re meant to mitigate. Requiring multifactor authentication for accessing sensitive financial datamakes perfect sense, given the potential damage that could be done if someone gained unauthorized access. However, implementing equally strict security for trivial tasks like checking a bill or making a small payment feels excessive. It’s important to strike a balance between providing security and ensuring a smooth user experience. When security measures become an obstacle rather than a safeguard, we’ve crossed into overkill territory.

The Takeaway: Thoughtful Security Design

Security needs to be thoughtful. When it’s not, it doesn’t protect—it merely frustrates. Companies should focus on eliminating true vulnerabilities rather than throwing more gates in front of users to make it seem like they're safe. Hackers are experts at identifying logical flaws, and security that isn’t well-thought-out just gives them more opportunities to find a way in.

In the end, we don’t need security for the sake of security. We need security that’s proportional to the risks it addresses, or we risk alienating users while still leaving the door open for those who know how to pick the lock.