Informal security chat with our host Reece Guida and Beyond Identity's CTO Jasson Casey on why considering security from a UX side of things sets you up for success.

Transcription

Reece

Hello, and welcome to Hot Takes. It's just me, your host, Reece Guida, and our CTO, Jasson Casey, today. Say hi, Jasson. 

Jasson

Hi. 

Reece

That was really good hi. Well done. Today, we are here to talk about security. The hot take is that security is actually a UX problem. And this suggestion came to us from Jing on our product marketing team. So, when Jing was talking to me about it, she was kind of saying that security...a lot of people think of it in security terms, like technical, hard to use, defense in depth, blah, blah, blah. 

But when you think about security from a UX side of things, it sets you up for success because most problems in security are caused by user experience issues and, you know, frankly, users themselves. So, Jasson, when you hear that security is actually a UX problem, what does that mean to you? 

Jasson

So, a couple things, right? So, the first image that comes to mind, I feel like it makes the rounds every three months on Twitter, it's a picture of a guardrail, you know, the guardrails that drop down across roads, but it's dropped down across a walking path. 

And then you see essentially this goat path just around the corner of it. And the caption is something along the lines of, like, security that didn't consider usability, and clearly, you know, the grass is worn from the people just walking around the gate. But yeah, no, I think passwords are a great example of not really thinking about usability. 

The best password and the best password practices by people are remembering, like, long, high-entropy strings that are unique on a per-site basis. What about that sounds like a great user experience? 

Reece

It does not sound fun at all. I was actually talking to my brother-in-law this past weekend. He knows what I do. I never shut up about working here. And he was bragging about his formula to set up passwords. "I use special characters and numbers, and if they don't let me use a special character, I get mad." 

And I was saying, "Well, you know, not that I use passwords anymore really, but I always like to do three random words, like headphone, hand sanitizer, and cat." Technically, that was, you know, four because one of them was a compound word. Hey, don't write it down. 

Jasson

Don't worry. I won't record it. 

Reece

Yeah. Just putting that out into the world. But it's funny, you really cannot win in user experience if there's passwords there at all. But I mean, just more generally, like, beyond passwords, like, what other tendencies in security do we have that kind of got us to this point where user experience isn't as good as it could be? 

Jasson

So, actually, I'm taking the phrase a little bit differently. So, it's not that user experience isn't as good as it could be, it's more that if you don't consider user experience when you build a security product, your users are going to show you your next vulnerabilities. And they're definitely related, but I don't know if they actually factor the same thing. 

Reece

I don't think they're the same either. Yeah. 

Jasson

I mean, maybe the best user experience at the end of the day is, you know, I put my name in and I type a button, and it lets me in, right? Maybe it's not a long-term great user experience because anyone who has my name can then assume my identity. But now when I think about passwords, I think about things that are kind of a terrible user experience. 

And the vulnerabilities that your users create for you is then reusing the same password across multiple sites, right? Using passwords that are easy to guess. Using passwords that are easy to crack because they're based on dictionary words and they're typically early in the cracking toolsets. The other thing that I think about when I think about usability in security is, you know, fundamental to a lot of phishing and a lot of man-in-the-middle attacks is a product or a service kind of expecting or the world expecting people to act like a computer in the verification that a domain name is exactly what they intend and nothing else. 

That it really is their production Okta instance as opposed to adversarial infrastructure that's going to route them through. That it really is an O in the Latin character set as opposed to something that kind of looks like it from the Greek alphabet. 

Reece

Humans are not good at that stuff. 

Jasson

Well, that's just it, right? Like, these are exploiting the...number one, they're exploiting things that are just naturally difficult for people. And then number two, people just have error rates, right? So, why would you ever expect a human to... If a human always has an error rate, why in the world would you ever expect them to carry out an activity where essentially the first time they fail at it, it creates an opening for an adversary to assume their identity, steal their money, access the documents X, Y, and Z? 

Reece

Yeah, I mean, failure is inherent to the human condition. And when Jing and I were talking about this, I was, like, struggling to understand what she means by security as a UX problem. And she made a point that, you know, people want to feel safe, right? They want to feel the warm blanket of security. 

Like, you know, "Hey, you know, entering a one-time code may suck, but at least I feel protected." Or, "Oh, on my Google account, I'd love to be able to check the multifactor option] and have to, you know, authenticate via YouTube." So, maybe some people like that. I don't know if I necessarily agree, but does security have to impose itself on users, or is the best security user experience one that's, like, invisible to them? 

Who's to say? 

Jasson

It's kind of a hard thing to answer. I don't know if everyone... First things, you loaded up the blunder bus and shot four questions out at one time. 

Reece

That's how I roll. 

Jasson

Do people want to feel the warm blanket or the wet blanket of security and safety? Like, I don't know, maybe. The litmus test I usually think about with security usability is, is this a thing that my mother or my father would use, right? And, you know, my dad's fairly technical, not in our industry, but in a different industry, and my mother is not at all, but they're both kind of good silhouettes in my mind for is it something they're naturally going to do? 

And if the answer is no, it's probably not a viable solution. Like, my mother's never going to use a password manager, for instance. Now, she will write passwords down in a notebook and keep that around with her. And the second...what was...so, that was your first thing. I'd be surprised if people are expecting...if it makes them happy to turn on MFA. 

That would be shocking. But the second part of your question was more interesting, and I forgot what it was. 

Reece

Yeah. So, the interesting thing that I said was do people want security to be invisible? I think that was kind of what I was getting at. Like, is that the best kind of user experience, one where it's not an experience at all? 

Jasson

So, I think the best security experience is where they know it's present, but it doesn't get in their way, right? So, if it were completely invisible, you do, and we have seen this, right, people start to question, like, are you doing anything, right? So, when our product logs people in, right? 

Like, a year and a half ago, one of the complaints we got was, "It's not obvious anything happened other than I just clicked a button." And so we added some visual indicators to basically just handle the human side of things. 

Reece

Oh, that's right. Is that the little tooltip that says, you know, checking the authenticator on your device, matching the biometric, blah, blah, blah? 

Jasson

Yeah. So, technically, it's called a toast, not a tooltip. 

Reece

Oh, okay, toast. I will never forget that. 

Jasson

Yeah. But that's exactly what that is. So, we didn't change anything about the authentication protocol under the hood, but we added a delay and an end-user feedback mechanism to really kind of address that concern. So, invisible, probably not completely invisible, but seen not heard, right? Slightly out of the way. 

It's kind of like, you know, the U.S. Secret Service. You know they're there, they don't get in your way, and you know they're packing and can handle things, but it's not overt, you don't see it. 

Reece

Man, I was about to make that analogy, and you beat me to it. It reminds me of that book you had on your desk a while ago. What was it called? "Spies, Lies, and Algorithms?" 

Jasson

Oh, yeah, yeah, yeah. What about it? 

Reece

Do you recommend that to the listeners of this podcast? Might as well plug something while we're here. 

Jasson

Yeah, no. So, man, now I got to think back because I've read a couple since then. So, I love reading a handful of books about our space, not just in terms of, like, technical how-tos but also, like, history of things, history of incidents, both at the corporate level and the nation level as well as how that kind of informs policy. 

And I would say the most interesting book that I would recommend for folks that haven't actually gotten into the space or kind of actively read that, it wouldn't be that one, that's a little bit more kind of a deep-end book, but it would be something by I think it's Kim Zetter, "Countdown to Zero Day." 

That is a fantastic read. I mean, obviously, the book is pretty good, too. But yeah, "Countdown to Zero Day" I found to be just an incredible page-turner because it combined the geopolitical events that was going on in Iran and Iran's nuclear weapons program interspersed with the story of these independent security researchers that were slowly unraveling how this new breed of malware that was really curious in what it was doing and how it was working. 

And slowly kind of putting the puzzle pieces together to realize they were...basically discovered a nation-state program really aimed at deterring a particular country from its quest towards developing a nuclear capability. Anyway, that was a really good book. 

Reece

I got to read that one. I subscribe to her Zero Day Substack, but I haven't read the book. 

Jasson

No. Yeah, no, that was great. "Code Warrior" is a really, really good book, but that's more of, like, the history of cryptography and more of a modern history of cryptography. What else do we have up here that you guys might like? Obviously, if you've never ventured into the space, "The Cuckoo's Egg" is a classic. 

Reece

Oh, yeah. 

Jasson

The character does frustrate me from time to time. I think it's just his writing style, but it's a fascinating read. And the crazy thing is everything he was doing in the '80s in the book, "The Cuckoo's Egg," kind of describes very, very similar techniques that we still use today, just in a more modern manifestation. But yeah, it was Clifford Stoll, I think, wrote, "The Cuckoo's Egg," and I think he was, like, an astrophysicist who was also responsible for administering the UNIX systems at Berkeley. 

Reece

Geez. 

Jasson

He found an accounting error, right? Like, it was the login times for all the users on a machine didn't equate to the billing times that accounting was issuing out. And he pulled that thread and eventually uncovered kind of a KGB plot to try and steal U.S.  Defense Department weapons plans. 

Reece

Oh, my gosh. And something as mundane as accounting stuff, that's where it all started. Wow. 

Jasson

How it starts. 

Reece

Well, yeah, kind of back to your point earlier about the Secret Service being there but, you know, they're not in your way, I think that that's really what security should strive to be. You know it's there, but it's not getting in your way on a daily basis. And I like how it kind of turned into a book club combo from there. Well, I will let you get back to reading five books at once. 

Thanks for tuning in, everyone, for this talk about security and user experience. Tune in next week when the gang's all back together for an interesting and enlightening discussion. Please smash the Subscribe button if you want me to be happy. And other than that, have a good one. Bye-bye.