Index ¦ Archives ¦ Atom

The value of instant feedback

I am a huge believer in the value of instant feedback within security. It's important to pick at what point you give feedback because you don't want to risk spamming users. It's been shown several times that if you show users warnings and they are regularly false alarms that people will tune out and ignore warnings.

But given at the right time, and not too often, giving instant feedback to users on what they are doing can provide great security controls.

Two examples of this are; user logins and important transactions.

If you have ever used Duo Push or Google's "Google Sign-In for Android" whenever you try to log in you will get a message on your phone saying, "Is it you trying to sign in?" this more than just 2 Factor authentication. You can get 2 Factor from any TOTP app like Google Authenticator, but this also lets you know if someone has tried to log into your account.

At work, all Administrators had two separate Active Directory logins, one administrative account, and a regular account. Most of the work could be done with just the regular account but if you ever logged in to a server with a domain admin account you would receive an email instantly. It didn't provide 2 Factor, but it gave feedback so if an account was compromised we would know about it.

Another great example was I have a Citibank credit card, and with the Citibank app, I can get push notifications every time there is a transaction. I think it's a great feature, sure someone could still use my card fraudulently once but I'd get a notification and contact the bank straight away rather than waiting until I check my statement.

Like I said at the top of the post, it's important not to spam people, but done right push notifications are a great security tool.

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.