This is missing an extremely important upfront concept: you need to know what you're protecting and how valuable it is.
It does no good whatsoever to require every user of a grocery-list app to have a Yubikey to verify their identity. It might not even make sense to have users login at all.
The balance between usability and security must be consonant with the costs of implementation.
I believe that was covered, but it was under the context of security policy vs a more direct description. The key point I'd pull out is: "The goal isn't to eliminate risk entirely, but bring it down to an acceptable level."
There could be (and probably are) entire books written about how to define what "an acceptable level" means... but that is the same point you are getting at - security is not a guaranteed lockdown of your assets, it is self-defined sufficient deterrence to attack. Sometimes that means light security, sometime that means heavy... but it is up to you to make those decisions.
That should come out in threat modelling, which is covered. when you're looking at who the adverseries for a specific system are, you'll necessarily cover what your data is and how valuable it is.
What may not be covered, and something which often causes problems with a lot of systems, is your threat model, may not be the same as that of your customers and, depending on what you're selling, you may not be able to know your customers threat model in advance.
To provide a couple of examples. If you provide server hosting, and a crypto exchange starts using your service, suddenly you may attract a load of attention from high-end attackers looking to compromise your systems as a means to get at other peoples.
or if you provide something like a consumer photo sharing/storage system, if "celebrities" start using it, suddenly you can find that people with a lot of time and interest start targeting you.
The tricky part is, commercially, do you have the resources to secure to the level required by the most sensitive customer...
Unfortunately, if you force users to pick between usability and security, they'll ignore security every time.
Or as I often say "no one ever says, 'wow, that was a great login experience', they just want to get to the features behind that experience (hopefully securely behind it)".
This isn't right. Think about putting locks on doors. Everyone is going to put a lock on their external doors and not on the interior doors in their residences (except for the special sort of "lock" on bathroom doors) but maybe on some internal doors in their businesses.
People can make the right choice about security when they know what they are securing. Instead, online we are inundated with so much unnecessary security we start to have a prior biased towards: this isn't important. Back to the physical door analogy, when there are locks on every door even doors that really don't need them, people start propping open doors.
Sure, banks must enforce good security, but a lot of other things should not care.
Like online stores for example. As long as I am paying paypal, the only info my account has is email, address and recent orders. One can google my address in about 20 minites anyway, and this means I really don't care about account security. If there was an option to login without password using email alone, I'd probably pick it.
Why would you need an account at all, that just raises the risk (of a data breach) for the buyer? I always prefer not having to have yet another account to buy something.
Yes, if there is a "no account" option, then this is even better.
But sadly a lot of places I saw do not offer this -- you are forced to make an account to purchase. I am not sure why. Maybe they think they can improve engagement/recognition by forcing users to make an account? Or maybe they are too lazy to implement no-account workflows? Or a misguided thought that sending detailed receipts by email is bad?
(The goal of store accounts are: (1) provide list of active orders; (2) for individual order, show user the order status; (3) once order is complete, show order details with easy re-order links. This can definitely be all done with email, but this seems to be unpopular with some users. So many stores have to implement web-only flow, which needs account for authentication. And at this point, many of them just stop.)
It does no good whatsoever to require every user of a grocery-list app to have a Yubikey to verify their identity. It might not even make sense to have users login at all.
The balance between usability and security must be consonant with the costs of implementation.