Once upon a time, there was a computer virus. And people said, “Oh, no!” Instead of rewriting the operating system to be inherently secure against viruses, some smart people wrote a different program to deal with the problem. That meant people now had to buy two things: one thing to get the job done, and another thing to protect the machine performing the job.
And a billion-dollar industry was born.
Fast forward to the present day, and this old cyberhouse has so many layers of wallpaper and paint that no one is really sure what the original walls looked like. The rooms are smaller and the square footage isn’t quite what it said in the real estate ad.
Technology promised to make things better, but we are getting far less than what we were promised. Add security into the mix, and things have gone terribly wrong in the usability department.
Let’s say that I need to make a quick payment—to the person who brought me some tasty banana bread that I had ordered. In the olden days, I got my checkbook out of my drawer, wrote a check, and handed it to my friend. Now, thanks to what conventional wisdom says about security, paying my friend looks very different.
Let's take a look:
- I get out my personal laptop. Not the corporate laptop, because I shouldn’t mix personal and work things. Besides, my personal laptop is the Known Device on my banking sites.
- I log in to my laptop. Thank goodness I remember that complex password. I have three laptops, all with different passwords, and I don't want to get them mixed up.
- I need to log in to PayPal, but I need to first open my password manager because I don’t remember PayPal's complex password.
- Oops! The password manager session has timed out (because security), so I have to log in to the password manager. I don't use the Remember Me checkbox, because conventional wisdom says that’s not a secure thing to do. Luckily I remember my password manager password, which is also one of the longest and most complex ones that I have.
- Not so fast. I have two-factor authentication set on my password manager (of course!), so I need my phone.
- Oh yes, I have to unlock my phone.
- I fire up the authentication program and painfully copy a string of numbers from my phone screen into the password manager’s two-factor authentication field. Did I mention that my working memory is pretty bad? It takes a couple of passes for me to copy those numbers.
- Great, I’m now logged into my password manager. Except changing my master password on a regular basis is Good Security Practice, and my password manager wants to know if I want to change it now. Oh hell no. My current password is good enough for now, and my friend is standing here, still waiting to get paid. After I select
NO, I am finally logged in to the password manager.
- What was I doing again? Oh yes, PayPal. The password manager has auto-filled PayPal's login screen with my username and password. I click submit to log in.
- I also have two-factor authentication set up for PayPal (because OF COURSE SECURITY). I dig my hard token out of another secret location in my desk and painfully copy those numbers over to the correct field. Once again, I submit.
- I am finally logged in to my PayPal account, and I can now transfer money to my friend for that banana bread
In the time that it took me to get to the payment page online, the price of banana bread has gone up, and my friend has grown three inches of the finest hipster beard you’ve ever seen.
A usability problem
Am I saying that security is bad? Of course not. And I’m certainly not saying that two-factor authentication is bad (duh!). Are there security products that could have simplified some of the above steps? Sure. But I think you’ll agree that what used to be as easy as turning on a light switch has gotten way, way, out of hand. Everything was supposed to be faster and easier on the Information Superhighway, but we are currently moseying along on the slower access roads with a lot of traffic lights. This is the usability problem that has me and a few million of my closest acquaintances super cranky.
Security is important, but it shouldn’t be this hard. It shouldn’t require a user to have to learn multiple user interfaces and acquire several apps and accessories just to perform one simple task.
Talk about security in practically any context, and authentication will be part of the conversation. Scolding users and organizations for less than stellar "best practices" in access management assumes that users are ignorant (or negligent). In reality, it's the security side of the relationship ignoring how painful it can be. Telling users to turn every security feature on without tackling the friction users have to experience makes security adoption even less likely. We need to look at security as a flow, as a process, and not as a set of unrelated instances or events.
We need to radically redesign authentication overall because we're just putting on layers of spackle over the problem and security is becoming less usable as time goes by.
This is the challenge that we’re facing: to consolidate security functions such as authentication so that they’re secure enough, while making them translucent enough that people can reassure themselves that the security is there, without it getting in the way of their activities. They should be able to know instinctively how to use the security function, and it should be the same everywhere they go. It should help them do the right thing naturally, rather than confusing and annoying them. And it should be difficult to buy anything without this security already baked in.
Because nothing should stand in the way of tasty banana bread.
Wendy Nather is the director of the Advisory CISO team at Duo Security.
Header image: Photo by Estée Janssens on Unsplash