This entry is written as part of "The End User Advocate" blog series, an informal examination of IT processes and the people who interact with them.
The headlines about cyber-attacks against the United States still dominate the news, even months after the election. While politics certainly help drive partisan narratives, there’s widespread agreement that the Russians tried to hack into numerous State voting systems to undermine the 2016 election results.Although this attack was a serious effort to influence the democratic election process, it wasn’t the only significant cyber-attack that made headlines in recent months. The Wannacry ransomware attack that launched in March affected computers worldwide and hit the healthcare system in Great Britain especially hard. So what does this have to do with end users? Let me explain.
As IT struggles against the rapid pace of technology change, the ever-increasing connectivity demands of users and their devices, and the rising expectations for a better end user experience; the need to balance usability against security have increasingly come at odds. Websites and corporate systems have built multiple layers of security to protect their data and infrastructures. Users must often log-in to multiple systems, each with its own password requirements and expirations.
While forcing users to use stronger passwords with a requirement to change them more frequently has closed the loop on some vulnerabilities, it has also been a nightmare for end users. People are often forced to write down their passwords on paper, store them in notes on their phones, or use other cryptic methods of remembering the myriad of passwords needed to access their accounts. Even more troublesome are sites used infrequently like benefit information, payroll, and retirement investing. The list goes on and on, but the problem is real for users; often resulting in increased ticket volume for the service desk to work through.
Discover how ChangeGear for Mobile improves
the end user experience!
Security vs. Usability
So how can the need for security be balanced with the need for usability? This is an important question I feel too often gets ignored. It reminds me of an example from my college days. Once a month our cafeteria served liver and onions. Not a crowd favorite for college students but a big favorite of the local pizza delivery joints. I once asked the head of food service why they continued to serve it if so many people didn’t like it. The answer was comical in how it completely missed the point. She told me “We serve it because it’s good for you.” I replied, “How can it be good for me if I don’t eat it?”
This is the same mentality I see too often in IT. Corporate mandates and stringent compliance requirements for stronger, random passwords are implemented which force users to select more complicated credentials. What happens when they can’t remember them? Or what if they’re on mobile and have no access to the sticky note they wrote their password on? IT is serving the security but users aren’t eating it, they are bypassing the enhanced security and exposing organizations to an increased risk of infiltration.
Some technology providers have actively tried to ease the pain created by this myriad of logins and passwords. Many modern browsers securely store site credentials and pre-fill them appropriately as needed. The logic is that if you signed onto your computer securely, the other credentials are also secure. Yet it’s amazing just how many sites don’t handle these pre-fills properly, with some even going out of their way to block pre-fills or even removing cut and paste functionality!
What About Password Managers?
An even more secure option would be to use one of the many password managers on the market that store encypted credentials and share them across devices. These tools provide an additional level of security as they require you to not only need to sign into your device, but also the password manager application as well. Again, IT often makes this too difficult. Account creation pages are sometimes on separate domains which confuse these tools with URL mismatches when the user tries to log in. Some sites don’t support pre-filling and require manual password entry to work correctly. It’s as if IT is going out of their way to make this difficult for users. This not only frustrates end users, but opens the door to workarounds.
My final example was introduced with the iPhone 6. Touch-ID or its Android equivalent allowed biometric identification as a means to access the device. Not long after its introduction, Apple allowed 3rd party developers to access the sensor and use it to log into their own applications. Again, complex passwords were kept but for the end user, all that was required was their fingerprint. Banks jumped on the bandwagon quickly as did many other companies. But there are still far too many apps that require manual entry, some with each and every use! I can't remember a randomly generated 16-character password required to view my prescriptions with my healthcare provider, but I do know how to use my finger to view them on the Walgreens app. There’s a night and day difference in the experience AND it’s more secure.
In this day and age, security is paramount and the threats facing IT every day are serious and complex. Everyone is adapting to these new realities and I believe most understand the need for tighter controls on applications and data. But as the complexity increases, IT must not lose sight of its end users by making things so complex that users sidestep security measures. The big tech companies have worked hard to provide tools that go a long way towards easing the burden. IT needs to be mindful of this because otherwise security is just like serving liver. It may look good on the surface but if people are bypassing it, then it’s not really security at all.