I spent the last week-and-a-half with my father, a very bright man who doesn’t really get technology and doesn’t necessarily want to get technology. Case in point: Over the holidays my father proudly presented – to everyone in the room – his handwritten list of usernames and passwords which he “secures” under the lid of his laptop.
This got me thinking about security. I don’t blame my dad for completely misunderstanding computer and web site security: It’s all very complicated. He’s never been trained in security matters, which is largely my fault since I’m the person most knowledgeable in my family of such considerations. In fact, my entire family simply doesn’t care about computer security. All they want to do is pay bills or stay in contact with friends: They’re not actively participating in the culture of technology. To stop their workflow to consider security matters is simply asking too much.
People like my father simply don’t understand enough to care. And here’s the rub: It’s my fault he even needs to care or understand. It’s my fault because – as a technology enthusiast and software developer – I have not made security the simple default! I could train my father, but that’s only a small part of a much bigger problem.
Security adds complication because it’s not simple. Usernames add complication. Passwords add complication. Remembering multiple usernames and passwords for multiple computers or web sites is almost impossible for a lot of people. Security breaks the common pattern of use.
My laptop and desktop are encrypted. I use two-factor authentication schemes wherever I can, and my passwords are easy to remember but difficult to crack. I employ a password manager for some things, but not all. I like to believe that my online identity and the data I really care about are all very well protected.
However, I’ve also spent the better part of my life working with computers. I innately understand how the hardware and software work, and I understand and deeply care about security. Encrypting my drives is just something I do as a natural part of configuring a new computer. Security is a habit. How do I even begin to explain, then, the purpose behind such a concept – let alone the actual steps required to perform such a process – to someone who simply isn’t interested, or finds the whole process too complicated to undertake?
In many ways, I shouldn’t need to. Security should be the simple default.
As an example, I recently purchased a Google Nexus 10. When I opened the box and turned it on, Android immediately asked me for credentials. This is good. Sort of. By default, however, it didn’t encrypt the device. This is bad. Why didn’t it? It could have. It should have. And it could have performed such encryption on the live file system without interrupting user workflow. I know of a couple of encryption applications that do just that. Instead, Android blocked access to the device for the few hours it required to encrypt. No novice computer user is going to wait for – or understand the purpose behind – such a lockout. It interrupts their workflow and it makes data security an unnecessary complication by default.
It should be the other way around!
Yes, I understand that novice users can (and do) forget their passwords, which would render an encrypted device useless, but I see forgetfulness as a separate issue.
I said it was “sort of” good that Android asked for my credentials. Sort of. It was great that it asked for credentials, but the experience was terrible. I signed up for Google’s two-factor authentication scheme. Android doesn’t natively support Google’s two-factor authentication scheme. Oops. Once I entered my username and password, Android broke the workflow and opened up a web browser to request my authentication token. It’s all neat and great that it worked, but what a pain in the ass! Even for me: And that’s the way I intentionally configured my account and I expected it! How’s a novice user going to understand such nonsense?
It wasn’t simple and it wasn’t the default.
Indeed, it’s our fault – the developers fault – that the state of security is such a disaster: We don’t make it easy because it’s an incredibly complex problem to solve. Security isn’t the default for anything but it should be the default for everything. Because it’s not the default, it breaks the common pattern of use when we have to stop and think about it!
It supposedly took Facebook two years to roll out the infrastructure required to support HTTPS for its 1 billion users. Two years without HTTPS! Prior to that, you had to opt-in for SSL. That’s not simple and it’s not the default! Yes, I appreciate the architectural concerns faced by Facebook. However, my family shouldn’t have to think about this kind of crap and neither should yours. Oh, and let’s not discuss security authentication abuse by such companies, either. This type of behavior is just spitting in the face of user data protection.
It’s not all doom and gloom, though. It’s getting better. We have better ways to authenticate that nobody outside of technology circles really appreciates. This will slowly change. Even so, for the technically literate, two-factor authentication is troublesome to use. It needs to get better. It needs to be streamlined. It needs to be the default, not some opt-in feature.
We can certainly do better from a developer perspective. We need to consider how we can make security considerations as simple and elegant as possible. Encryption and authentication should not be secondary considerations. We must make it simple. We must make security the default option, not an opt-in.
We can find opportunities to educate those who don’t care or understand. We should help them care. We should help them understand. I had the perfect opportunity to educate my father about sites like LastPass and I let it slip through my fingers. He may never use such a service, and he’ll probably never hear the terms “two-factor authentication” outside of me, but as someone passionate about technology, it’s my responsibility to ensure he’s been appropriately educated.
As an industry, too, we need to make it simple. We need to make it the default option on all services we provide.