Tuesday, May 20, 2008

Security vs. Usability, SUNDAY SUNDAY SUNDAY

Forewarned: I talk about the issue of non-usable web security, but this is one of those cases where I don't really have an opinion about how things could change for the better. But I do think it's something to think about.

Web security is a Big Deal. One of the biggest, in fact. No major website today can get away without paying very special consideration to security. Unfortunately, security and usability are pretty much the oil and vinegar of the web application world. After all, from a usability standpoint, we want to get out of the user's way and present the information as quickly and cleanly as possible. On the other hand, security-wise, we want to take every precaution and ensure that the person viewing the information is, in fact, the person they claim to be. And, because most users will agree that it's more important to keep their information secure that it is for them to have easy access to that data, security usually takes precedent.

Unfortunately, a lot of modern security methods don't just get in the way of usability, they outright prevent it. Consider the modern-day gatekeeper to all data financial - the security question. Most online banking, financial planning, and portfolio management sites use security questions to verify who you are. Some of these sites ask these questions randomly during your visit, others only use them to verify identity when changing passwords. And, for the most part, they're pretty secure. After all, who but me is going to remember that my first pet was a collie named *REDACTED*, or that I grew up in *REDACTED*.

Of course, my life is a fairly simple one, and I remember the answers to these "simple" questions. Except that my first pet was actually a cat named "Mama Cat", and I actually grew up in a tiny town named Francisco, which is just outside the town I tell everyone I grew up in. Depending on the day, I answer these questions differently. So it's less a game of "This is Your Life" and more "What's My Line?".

In Lore Sjöberg's "Test Your Brain with Trivial Security Questions", this very phenomenon is addressed, with the winner of Lore's fictional game show being the person who circumvented the security altogether. In short, this person made the page more usable by sacrificing some of that well-thought-out security. And this happens a lot. Passwords get written down on sticky notes and "hidden" under keyboards or behind monitors. (Or, worse, in one case I've seen, sticky noted to the front of a monitor. For everyone to see. In a public area. At a hospital.) Maybe all the answers to your security questions get jotted down in a text file six directories deep and named "Completely Uninteresting Innocuous File.txt".

This is not to say that security is bad. It's not, not at all. But I think that usability is actually more important that most users let on. So if anyone out there is working on a usable security method, the world may soon be beating a path to your door. Just so you know.

P.S. My personal favorite security circumvention: my bank uses biometric typing data to identify whether or not it is actually me typing in my password. How I type varies dramatically from day to day (I don't touch type. At all.), so this method always fails. My new way to check my balances is to skip the password box altogether, hit the "Forgot my password" link, answer the security questions and just change my password every time. Bonus side effect though: I now know the answers to those security questions without even thinking. So that's nice.