Security Problems

The Internet is a dangerous place. We have tools to make it safer, but they go unloved and unused; by ordinary people I mean, the ones who arent geeks. How can we fix that? Lets look through some recent evidence; The conclusion is pretty obvious.

Two-factor

More generally, multi-factor: Sign-in with more than one piece of evidence. You may have noticed that pretty well any bank in the world will give you cash money when presented with a piece of plastic and a 4-digit number. OK, these days the plastic has an embedded chip, but still.

Two-factor is great! Put yourself in the bad guys shoes; not only does he have to steal or guess your password, hes got to get his hands on something you carry around. Neither of these by itself is really horribly difficult, but the combination sure is.

So, 2-factor and were good to go, right? Well, wrong. As evidence I offer 2FA, the aftermath by Lauren Wood [Disclosure: my wife]. This is the sort of story that makes my former colleagues in Googles Identity group weep bitter tears. Key out-take: There are lots of people who dont have a mental model of passwords or authentication, who see only the pain and not the gain. Lots as in most.

Crypto

If everything were encrypted for transmission, and also while sitting up there on the server, this would make life seriously hard for the bad guys (and also for the overenthusiastic public servants in the National-Security community).

Fortunately, we have excellent encryption tools, built around a technology called OpenPGP; PGP or GPG for short. Its woven on a loom of rigorous math, harder than diamonds; none of the people who are in a position to know think its been cracked. So were home free, right? Wrong. Consider Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You, by Micah Lee, the story of how the whistleblower and the journalists managed to get their secret back-channel going. Key out-take: I tried to teach GPG to Greenwald but I had the same problem Snowden had encountered when he reached out in December, that Greenwald was busy and couldnt focus on it. Nobody has ever said Greenwald is dumb.

Try it for yourself! Heres an excellent beginners introduction, PGP and You (PDF) by Caleb Thompson. If a geek, go have a look. If youre not, dont bother& and thats the problem.

The three big problems

Heres the thing: We have authentication technology thats good enough. We have encryption technology thats good enough. So why arent our tools making the Internet safe?

1. User experience,

2. User experience, and

3. User experience.

Theres good news too. Unaccustomed as I am to praising Apple, let me do it for the second time this month. Steven Aquino, in On CVS and Rite-Aid Rejecting Apple Pay, writes More than security and convenience, Apple Pay has another huge advantage: accessibility& In my case, as someone with low vision and (mild) cerebral palsy, no longer do I have to fumble around& All I do is pull my phone out of my pocket, rest my thumb on the home button, and Im done.

Wow! Once again, when you give something a good accessibility story, you usually do a favor for the fully-abled rest of us too.

Another good example is the YubiKey Nano. You jam it into a USB slot, forget it, and then when a program wants to know youre there, tap it with your finger.

This is the level of user experience that every security technology needs. A wave and a finger; maybe at most a PIN. Ask for anything more, and people Just. Will. Not. Use. It. I dont care how super-ultra-wonderful your security software is; If busy nontechnical people route around it, its garbage.

News from the front

Ive been making teeny-tiny contributions toward chipping away at the coalface. Ive mentioned this before, but check out the Sending and Receiving screencasts; the OpenKeychain team is trying hard to make Android crypto software for everyone. Theyre not there yet; among other things, you can still see the encrypted payload, which is useful to exactly no-one.

If you want a real taste of usability work, check out this discussion of what (if anything) it means to certify an encryption key, and whether/how ordinary people should be offered the chance to do this.

Therell come a time when we can work on the finer points of the security UX, run studies, that kind of thing. For now, we need to focus on removing big stinky ugly obstacles.

UX is hard

Harder than the hard math that goes into crypto. Harder than the hard problem of figuring out who the human is that your software is interacting with.

But since the tech behind the UX is pretty good, every little bit we manage to improve the experience should yield noticeable payoff across the whole system. Working on this stuff feels like a high-impact investment.