Let’s not Become Password Huggers: Passwordless Guest Post on SC

Archive for December, 2020

Let’s not Become Password Huggers: Passwordless Guest Post on SC

Posted by

SC Magazine has a guest blog from me on passwordless authentication, and the importance of addressing usability, manageability, and defensibility.

Change happens at an uneven pace. Take the latest smartphone. The camera still has a lovely shutter click, though digital cameras have long since surpassed shutter cameras. The QWERTY keyboard was designed to solve the problem of jamming in 19th century typewriters. And yes, to open apps and websites alike, we’re still using an idea conceived of 60 years ago for mainframes: the password.

We cling to the password. It’s security’s first, and sometimes disastrously, last line of defense. As surely as we know the camera doesn’t have to click, we know the password can be replaced by stronger factors. In fact, with adaptive and contextual controls, replacing the password means greater security and user experience benefits.

What’s holding us back from moving forward with passwordless?

Read the full article here: Three ways we can move the industry to passwordless authentication

Cyber Security Design Studies, Papers, Books, and Resources

Posted by

The cyber security design principles emphasize psychology over technology. Here is a collection of scientific studies, research papers, design books, and related resources.

This is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Paths They Take

Number of steps; Familiarity of each step; Friction at each step.

Introduction to Customer Journey Mapping (ebook)

Flow Design Processes – Focusing on the Users’ Needs

Scientific Articles

Shosuke Suzuki, Victoria M. Lawlor, Jessica A. Cooper, Amanda R. Arulpragasam, Michael T. Treadway. Distinct regions of the striatum underlying effort, movement initiation and effort discounting. Nature Human Behaviour, 2020; DOI: 10.1038/s41562-020-00972-y

G. Suri, G. Sheppes, C. Schwartz, J. J. Gross. Patient Inertia and the Status Quo Bias: When an Inferior Option Is Preferred. Psychological Science, 2013; DOI: 10.1177/0956797613479976

ulia Watzek, Sarah F. Brosnan. Capuchin and rhesus monkeys show sunk cost effects in a psychomotor task. Scientific Reports, 2020; 10 (1) DOI: 10.1038/s41598-020-77301-w

Choices They Make

Number of choices; Predictability of the choice; Cognitive load of each choice.

Nudge to Health: Harnessing Decision Research to Promote Health Behavior

Sludge: “activities that are essentially nudging for evil”

Intentional and Unintentional Sludge

Books

Choosing Not to Choose, by Cass Sunstein

How to Decide: Simple Tools for Making Better Choices, by Annie Duke

Being Wrong: Adventures in the Margin of Error, by Kathryn Schulz

Scientific Articles

Sunstein, C. (2020). Sludge AuditsBehavioural Public Policy, 1-20. doi:10.1017/bpp.2019.32

Soman, Dilip and Cowen, Daniel and Kannan, Niketana and Feng, Bing, Seeing Sludge: Towards a Dashboard to Help Organizations Recognize Impedance to End-User Decisions and Action (September 27, 2019). Research Report Series Behaviourally Informed Organizations Partnership; Behavioural Economics in Action at Rotman, September 2019

Chadd, I., Filiz-Ozbay, E. & Ozbay, E.Y. The relevance of irrelevant informationExp Econ (2020). // Unavailable options and irrelevant information often cause people to make bad choices. The likelihood of poor decisions is even greater when people are presented with both.

Behavior

The behavior we want people to perform.

Scientific Articles

Hall, Jonathan D. and Madsen, Joshua, Can Behavioral Interventions Be Too Salient? Evidence From Traffic Safety Messages (September 16, 2020).

Barriers

Barriers preventing people from completing the behavior.

Scientific Articles

Benefits

Benefits of completing the behavior.

Scientific Articles

Training (Ignorance)

Scientific Articles

Irrationality

40 Clever and Creative Bus Stop Advertisements

Scientific Articles

Vadiveloo, M. K., Dixon, L. B., & Elbel, B. (2011). Consumer purchasing patterns in response to calorie labeling legislation in New York City. The International Journal of Behavioral Nutrition and Physical Activity, 8(1), 51-51.

Fernandes, D., Lynch, J. G., & Netemeyer, R. G. (2014). Financial literacy, financial education, and downstream financial behaviors. Management Science, 60(8), 1861-1883.

Investments

More people, better technology.

Scientific Articles

Incentives

Books

Drive: The Surprising Truth About What Motivates Us, by Daniel H. Pink

Scientific Articles

Gneezy, U., & Rustichini, A. (2000). A Fine is a Price. The Journal of Legal Studies, 29(1), 1–17. doi: 10.1086/468061

Rey-Biel, Pedro & Gneezy, Uri & Meier, Stephan. (2011). When and Why Incentives (Don’t) Work to Modify Behavior. Journal of Economic Perspectives. 25. 191-210. 10.2307/41337236.

Behavior Economics

From “Economic Man” to Behavioral Economics

Related Books

  • The design of everyday things, by Don Norman
  • Designing for the digital age: How to create human-centered products and services, by Kim Goodwin
  • Design research: Methods and perspectives, by Brenda Laurel
  • User experience revolution, by Paul Boag

Presentations

Does security have a design problem? Designing Security for Systems that are Bigger on the Inside.

How does design apply to securing application development and DevOps? Securing without Slowing.

How does design apply to BYOD and Cloud apps? Security Design Strategies for the Age of BYO.

How does design apply to blue teaming? Design Thinking for Blue Teams.

Design Thinking for Blue Teams at Converge Detroit

Posted by

Usability versus security is stupid. It forces us to choose one or the other. It excuses security breaches under the guise of usability. It automatically pits us against them, builders against breakers, developers against defenders. A better approach is to view security like usability: they happen where man meets machine. At that moment of meeting, what factors in human psychology and industrial design are at play? And suppose we could pause time. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future?

Recorded for Converge Detroit 2020

Watch more videos on my YouTube channel.

Killing Passwords with Infosecurity Magazine

Posted by

Back in September, Gartner detailed its top eight security projects for the coming year. Among those was the concept of ‘passwordless’ authentication, where a second factor such as a known asset like a phone, tablet, keyfob or smart watch can be used instead of a password.

Excerpt from: Interview: J Wolfgang Goerlich, Advisory CISO, Duo Security (Cisco)

Speaking to Infosecurity, Goerlich cited a talk at the 2004 RSA Conference, where Bill Gates said that the password is dead, and Goerlich commented that “16 years later we’re still trying to kill it.” He said that to enable a passwordless strategy, you need both the equipment and technology to enable it, but mostly you need “to have momentum in the organization and a reason to do it.”

However, now that everyone carries a biometric authenticator in their pocket, has hardware in place and given the fact that security wants to enable users, why do passwords still exist? 

Read the full article: https://www.infosecurity-magazine.com/interviews/interview-wolfgang-cisco-duo/

Wolf’s Additional Thoughts

What leads one innovation to succeed? What leads another innovation to stall? We need standards, infrastructure, and critical mass. But these come often out of order and require a spark to bring it all together. Sixteen years after Bill Gates declared the password dead, we’ve reached the inflection point. It’s about to get exciting.

The final thought in the article is “He concluded by saying that increasing trust in authentication is vital for passwordless to succeed, as today’s good factor is bypassed tomorrow. “

My strong recommendation is pairing passwordless with additional anti-fraud measures. Include the device identification in the authentication. Include behavior analytics (where, when, how) to further bolster trust in the authentication. We can predict criminals will work around these authentication methods, so let’s move now to put in place compensating controls to detect and prevent their next move.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.