Enjoyable or invisible
Two recent missives from unexpected sources have served as a stark reminder of just how reliant we are on electronic communications, both personally and for business.
The first was from a front line administrator for an NGO, who is under very strict rules as to work communications and therefore relies heavily on personal accounts for all else, and the second was from a technical guru in the engineering business.
In the first instance, I received an email from the person asking for advice as an old personal email account of theirs that had been dormant for some time, was hijacked and being used in an attempt to extort.
“In this day and age of ubiquitous mobile devices, surely two factor authentication for something as important as an element of your identity would be de rigueur? It would appear not.”
The old ruse of kompromat and pony up or we will distribute was used, but the person knew no such material existed. Authorities had been notified but the person was wondering what else to do.
In the second instance, the individual email account of a highly respected author, designer and engineer at their business was compromised, and forced the notification of all contacts in the address book of not only the termination of that account, but also the domain.
What to do
For the former, there really was little else that could be done, except of course to change all passwords on other accounts, especially if there were common or similar passwords used. The second was antivirus and malware scans on all machines and ensure everything is patched and up to date. Alas, there’s not much else can be done, but to ensure increased vigilance and a healthy dose of paranoia.
In the latter case, the engineer in question had built a business over decades, with a reputation for innovative solutions to age old problems in the industry that not only saw them lead the field with distinctive design, but become a published authority on several key topics. To have a potential threat to that reputation through the compromise of an email account that would then be used for nefarious purposes, was too much. After years of reputational being built, a domain and an address had to be retired.
Two cases of compromised emails, two sets of potentially disastrous consequences if things turn for the worst.
And here lies the conundrum of email, passwords and communications security.
We all know there is a difficult yin/yang balance between accessibility and security. But in this day and age of ubiquitous mobile devices, surely two factor authentication for something as important as an element of your identity (your personal email address) would be de rigueur? It would appear not.
Only recently, there have been reports that business have been slow to adopt 2FA for email.
And a security pro and blogger from Duo Security has done some extensive number crunching to show that even when Google made 2FA available, it was slow in adoption and uptake is still low in proportion to user base.
So even when such facilities are made easy to use, people seem unwilling to adopt them for their own protection. Why is this?
Should the issue be that if people won’t use the tech, it is redundant? And therefore, a technology they will use is necessary? Or is it a case that with proper education, people will come around to the need and the wisdom and just get on with it?
If I had the answer to that, I’d be a tech start-up founder and not writing this blog.
But I do know that even though the protections afforded by 2FA are great, I am sometimes annoyed by when it pops up. A certain web service I use allows me to set a cookie on a device after a successful 2FA access to say not to ask for 2FA again on this device for a week. This is very convenient, but when it pops up again unexpectedly as I am intent on carrying out a task it still provokes ire — momentary, but still. I’ve been in or around the IT security game (difficult admission warning) for 20 years now, so if it annoys me…
If technology adoption has taught us anything it is that human adaptation is a wonder of nature, but a very difficult capability to accelerate. It would seem that boffins need to develop the user experience of such security measures to make them either enjoyable or invisible, otherwise they will not be adopted.
Education is vital to ensure that people are aware of threats and the need to take action, but all the education in the world will not overcome basic human behaviour.
While we may be getting better at determining how successful in adoption a new technology might be, we are still facing the same old problems of appeal or invisibility in technological interaction that are driving design and innovation.