Web Directions Year round learning for product, design and engineering professionals

With this conversation with Rachel Simpson we reach the end of the first round of conversations we recorded around our Respond Conference.

If you’ve missed my other conversations to date, why not take a bit of time to listen to conversations with

• Ethan Marcotte
• Karen McGrane
• Sara Soueidan
• Russ Weakley

Rachel and I spoke about security, and how this is as much a design problem as an engineering problem. If you in any way connect with any information about your users, I heartily recommend this chat.
If reading’s more your thing, there’s a full transcript below of the covnersation.

If you’d like to know more about Rachel, we profiled her in the Respond conference Wrap, a free download, and also online recently as well.

Part I

Part II

Part III

Like to watch and read more like this? Be the first to score invitations to our events? Then jump on our once a week mailing list where we round up the week’s best reading and watching on all things Web. And you’ll get a complimentary digital copy of our brand new magazine, Scroll.

Full Transcript

John

So Rachel, one of my favorite words in English is actually an ancient Hebrew word and it’s the word shiboleth. And you were saying it’s not an idea that you’d actually heard of.

Rachel

I have heard of it before but it’s a fantastic story.

John

Right, so, thank you. So, it’s in the Bible and there are a lot of great stories in the Bible, it turns out. Even atheists like myself can actually kind of appreciate and get a lot of value from the Bible. So there’s shiboleth or if you’re a fan of the West Wing there’s a whole episode about shiboleth so you might be familiar with that. So, it’s a word that’s still in common usage but it’s quite obscure. And the idea was this, that in probably any exposure to the Bible you probably know you had the tribes of Israel and their mortal enemies the Philistines. So, you had David and Goliath and Goliath was a Philistine and we even get the term philistine obviously from the Philistines. But they’re in constant conflict. And there’s a story around how these Israelites use the word shiboleth to recognize one of their own in the dark. I guess what we would call a watchword. That’s probably a more contemporary English word for that. Again what’s the watchword is the word that you say. It’s like a password. To me it seems like one of the really earliest examples of a password. And you have a particular interest in passwords by way of an interest in identity and authentication. We’ll probably come back to passwords and whether they’re good or otherwise in a minute. But to start with, you’re a user researcher and a UX designer, but you’ve got a particular interest in identity and authentication. How did that come about?

Rachel

Yeah, I mean, so my background’s in user experience and I care a lot about making things that are important easier to use. And I think that the story of how I became most interested in passwords, I think the background was there. We talk a lot about passwords and security, in general, on Chrome and thinking about–

John

So you’re the Chrome user experience team.

Rachel

I’m on the Chrome UX team, so obviously I have an interest in various systems that people use, platforms for communication, all those kind of things. So, all of that interest I think led up to a somewhat heated discussion with Guy, Guy Pajarnis. We talked about Guy. We both were speaking at a conference. We were sitting together in a speakers’ room and got to talking. And somehow managed to get into this heated discussion about, sort of, this tension between security and usability. So, Guy has a very technical background. My background is in actually in industrial design, then user experience design. So, after we had this argument, then we realized that we should create this presentation. We talk about, sort of, how to make these systems work better for users. And thinking about in a lot of detail why people behave the certain ways that they do. How can designers and engineers work better together to kind of bring about change in this existing system?

John

For a long time, I guess, we’ve thought about security as being an engineering problem.

Rachel

Exactly.

John

And I think going back before computer systems, we have technologies like keys which we use to secure our cars, which are the most expensive thing we own other than possibly our houses which we secure with keys. And the key technology is like thousands of years old. We’ve more or less solved that engineering problem in one sense a long time ago. But we, as I said, we think of that as an engineering problem. And engineers think well we can solve this. And engineers think well the users are the weakest link.

Rachel

Exactly, yes.

John

It’s very much an engineering response. If only those users had perfect memories and chose unique, random one-time passwords,

Rachel

If they followed the rules, yes.

John

Then there would be no problem here in any way with security, but that isn’t really the case. So, first and foremost, I guess, in a browser like Chrome, where are the really big security touch points, or where are the big, where are the things that you guys worry most about when it comes to security and identity?

Rachel

Well, I think it’s the answer to that problem is challenging because Chrome is different, in that. It’s not really a product, it’s a platform. So, not only do we have to think about the security of the pages themselves, you know, thinking about http vs. https and these kinds of details around the platform for developers, but we also, I mean not directly, but it’s important to consider the security of the products on our platform. And that’s something–

John

But you’ve got identity built into the browser now. You can choose your persona and that then flows into Google products and potentially other products as well that kind of can hawk into that. So, all the way out to the wrapper around the whole experience, you’ve got identity and security kind of built in.

Rachel

Embedded into the whole system. Yeah, absolutely, I think and this is something that its not just a question of how do we behave in Chrome, but how do we behave across Google, so a sort of complexity associated with where your account is connected to Chrome.

John

I always find it interesting that I get a phone call from my bank or my credit card provider and they’ll say, “Hey, this is X from credit card provider Y. “I just wanna ask you security questions, right.”

Rachel

It’s so distressing.

John

So the training is to do. It’s astonishing. I had a close relative who is a very intelligent woman and a little bit older than us but who’s been literally was walked through the process of getting the two-factoral authentication codes and giving them to that third party because she’d been so well-trained to basically identify herself to our banks. So, it’s not only when I ring my bank, it’s actually when they ring me. So it seems like we’ve really got these horrendously broken security systems, and privacy systems because I think they do go hand in hand. So, what are some lessons that you’ve learned maybe about, I’ll step back just a bit. One of my themes and the people I’ve been talking to over the last couple of days has been what I call jet pack futurism. And the idea behind jet pack futurism, is we often have this vision of the future that is wedded in the past and is never revisited. So when you think about the future, it’s probably through the prism of what we thought of what the future was like 20, 30, 40 years ago. We watched it as we grew up on Saturday morning cartoons or we watched it in the movies. And it became our sense, the default sense of what the future was gonna be, right? And then we complain that we never got jet packs and flying cars and we don’t observe that well, in fact, we weren’t promised them anyway, but what we did get is the globally connected network which was all free. So, I guess, you know, I kind of have this interesting sort of what some people will call retro futurism. In terms of technologies and solutions around privacy and security, are there these kind of classic futuristic all, when only we get retinal scanning or, by way of example, then the world will have solved these problems. Are there some classic sort of jet pack futuristic security features that people come to you with, people think about? Is there a whole lore of that in the world of security and authentication? I’m not thinking about those classic retinal scanners and, of course, we’ve now got them on our phones, with our thumb print scanners. Is there a whole list of stuff like that that always and you’re like, “Oh would you stop with the retinal scan.”

Rachel

No, I mean, I think, I had an example I’ve just forgotten, but so I think yeah, of course, I think as soon as you start thinking about security more in depth it becomes impossible to think about these futuristic solutions because there’s always a flaw. You know, the solution of the solution, number 42 for security is, I don’t think it exists. And I think the reason for that is that people are part of that system. I wanted to go back to that example you were talking about your sort of older relative and how she’s been trained to give security indicators over the phone to her bank, for example. Unfortunately, because of human behavior, because people can’t remember things or because of the complexity of these systems that we’ve imposed upon them, we can no longer expect them to behave in secure ways. So, when your bank calls your relative and says, “Hi, Mrs. So-and-so, “we’d like to have this security information from you.” She might say, “Well, I don’t have it with me right now. “Maybe you can ask me a different question.” So there’s, sort of, built-in forgiveness that we’ve created in these systems because it’s necessary that also makes them vulnerable.

John

The challenge is we’ve the cat’s kind of out of the bag, the genie’s out of that bottle, right. We’ve trained a generation of people that the bank’s gonna ring us and ask us to identify ourselves and we’re gonna use these factors about ourselves to identify ourselves. My feeling is perhaps the best option is for banks to actually not ring anyone anymore. But the problem is that for probably another generation, even if banks blanket advertise the fact that they’re never gonna ring you again, it will probably continue to work.

Rachel

Absolutely.

John

Because Nigerian scams seem to work. People get scammed more than once in Nigerian scams, right. Having lost all their money to a Nigerian prince, it happens again, right.

Rachel

There’s actually a story about that in my talk.

John

Oh, okay.

Rachel

It’s the story, oh no I’ve forgotten his name, that’s so embarrassing, a friend of Guy’s and he’s an incredibly technically-savvy person and he, himself, was taken by a phishing scam, not a Nigerian email, one of these, sort of, Nigerian prince scams, but a really sophisticated phishing scam. Phishing scams are super interesting because I think one of the hardest, if not the hardest security, common security problem that I think to solve because it’s getting so much easier and so much, so much easier for people running these scams to make them look realistic.

John

So these generally use email as their attack vectors?

Rachel

There’s a variety of vectors I would say, and I should add the caveat that I’m by no means a security expert. But, what I think is interesting is that it can be anything when you picture one of these emails, it’s one of these ridiculously worded with poor grammar, and poor English all of this kind of thing, and it’s quite easy for most people to spot. But you also have to think about phishing scams which arrive via the browser. For example, and I think this is one of the, it’s an interesting problem because, the only way really, in many cases, to tell this is a phishing scam is via the url.

John

Right, and browsers increasingly are hiding those urls from us.

Rachel

In a lot of places.

John

I’m not necessarily saying Chrome is but certainly other browsers.

Rachel

No, no, no it’s something that, I think, many browsers are doing right now and it, not just browsers, but thinking about entry points to the browser, to the internet via mobile apps, for example.

John

Right, because a lot of which are essentially http applications, but we don’t even know whether they’re doing with a tail s or they’re not doing with a tail s.

Rachel

It’s not clear. It’s not easy to for you to check.

John

Right.

Rachel

I think that this is one of the biggest problems that we’re gonna have to face on mobile is, sort of, the increasing desire to make things feel seamless and the problem that people have difficulty understanding the url and how to work with, how to navigate via url and the browser.

John

So, Chrome itself, as other browsers do, potentially, is they bring out, draw our attention to whether something is of a tail s, by giving us, and, in fact, now we’re getting to the point where there’s a strong advocacy for the idea that maybe everything should be of a tail s? Which I have come round to actually, over the, partly because it’s become so much easier to do.

Rachel

Controversial, yes.

John

But personally I resisted that for a long time. But now I kinda, particularly given some of the features we’re now being able to play with in the browser as a developer, whether it’s the service worker, maybe geolocation from the get-go, the things that expose a lot of potential, kind of, doubt, or about, what tactics is on our users.

Rachel

Very true.

John

You know, maybe we should never have let them be open slather in them anyway.

Rachel

That’s why, I guess, moving to everything over to tail s is one potential approach to this. And it feels like that’s probably where we’re headed. (Mumbles) flagged the idea that they’re gonna deprecate non-tail s traffic at some point. And it feels less controversial now than when they announced that, perhaps, 12 months ago. So, what are some of the other things you’ve found can kind of help whether it’s about, is it about drawing the users attention to potential insecurities? Is it flagging communications that may seem spurious? What are the sorts of things that you’ve found are really important to potentially do and give you good return on that investment?

John

So, I think that, just to try to generalize it as well, I think that, I mean, the big part of it for me is trying to better understand people’s behavior. I mean, why do they do these crazy things that they do? You know when you talk to developers,

Rachel

They write their password down or they stick it on a sticky note by their bank.

John

Why do they do that? So understanding the factors that affect the way that people behave so you can think about how these systems could be better designed as you approach them. So, I think one example is to think about focus. So, a great example of this is thinking about the moment when people, we need people’s attention. Because right now a lot of security, or I’m thinking specifically maybe about the, I have picture in my head, the security indicator in the, the address bar in Chrome. I’m trying not to use jargon. The security indicator in Chrome.

Rachel

Hopefully our audience is reasonably sort of savvy.

John

Okay so it’s not.

Rachel

Right.

John

Okay. This piece is interesting because it’s shown consistently and it changes depending on the security of the page. And I think this is great. It’s already starting to, kind of, call it out. Maybe something that might even improve situations like this where sometimes it’s not secure and we need your attention, we’ll be able to call out, call it out with motion. To show the user that something has changed. And even better to explain to the user what the implications are for them. Because in many cases, the security implications are not clear. So, we might be saying, “Red alert, this is not safe for you.” But what we mean is, “Is this a banking page? “If this is the banking page, “probably you shouldn’t type in your information.” Or, “Is this a page where you have to put in your password? “Maybe don’t put your password in here.” I think being really specific and clear about what this means to the user, without using jargon, or without being too obtuse, I think, is really important. Some of the other things I think are really important in (mumbles) the passwords, for example, is to think about human memory. That it’s a limited resource and that it’s not as effective over time and with randomness. So, passwords, I think, one of the biggest flaws are, among many other things is that we ask people to remember passwords. In fact, we ask people to remember passwords, there’s a great study, the Dashlane study, they had a product which scanned the inboxes of their clients and found out that on average people in the U.S. have about 130 accounts per email address. And so, if they were following security protocol to the letter, they would have different passwords for each of those accounts. And we expect them to use random passwords rather than meaningful ones. So, at every step of the way, we’ve violated the basic principles of how people’s brains work, and maybe we shouldn’t do that.

John

So I guess one of the approaches that people who, like myself who feel they’re doing the right thing, there is to have passwords generated either by a browser which then looks after them, or by password manager, all locked up behind a single, or hopefully, very, very strong password that once someone breaks then they’ve got all our passwords to everything nicely assembled. Is the problem passwords? Is that whole approach simply, I guess the way, we don’t necessarily try and endorse particular products and such, but Apple certainly have increasingly seem to be wanting to use biometric things like particularly fingerprints to be associated with your Apple Pay accounts. Are these inherently better solutions?

Rachel

It’s such a complex question. So, I’ve talked about passwords, about biometric data before with some of the engineers looking for different solutions. I think I should state, probably, that fingerprints and other biometric stuff is not as, also not secure, that it can also be broken. That every existing security system can be broken which brings us to two-factor authentication, of course. And I think that that’s sort of the expected standard that products should keep to.

John

So you think, pretty much, anybody who asks, if I created an account whether it’s with my email provider, whether it’s my bank, all the way through to Disqus, or somebody, anywhere I create, is there a barrier to entry, or pretty much, you create an account somewhere and it revolves tying, using a password together, it should be two-fa? Is that your feeling? Who gets away with not having to worry about this? Or do you think, really, you’re building something like that and you’re serious about it, you should be doing two-factor?

Rachel

I think it’s a good question and I think that the answer isn’t everyone has to have two-factor authentication. I think that more I’m, kind of, advocating good decision-making and, at the same time, I think that there is a new, interesting example that I called out in the talk. And I think it’s Medium. They’ve done something very interesting where they’ve connected their, I think they’re still doing this, they’ve connected the Medium account to your email account. So one way for you to sign in is to go to Medium, put in your email address and hit sign in. And then it sends you a link to your email address. And then you click on that and you’re signed in.

John

I think Slack do something similar, don’t they?

Rachel

Yeah, I think so. And so it’s an interesting example because it basically says, “We think your that Gmail account or your email account,” I think they only use Gmail, I’m not sure, maybe I’m wrong. But they think that your email account is secure.

John

Right and that sort of pushed the whole problem on your email provider, right?

Rachel

Exactly and in this case, if it is a Gmail account, then it’s already enabled for two-factor authentication which is great. So, I guess it’s a question of, gee I wish I had a good answer for this. It’s a complex problem.

John

I mean is there an opportunity, we’ve seen (mumbles) in the business of, of providing authentication services, I mean, at the moment they seem to be centering on your social media, sign in with Twitter, sign in with Google, sign in with Gmail, so on and with Facebook these seem to be. I guess the challenge around the commercial provision of these services is, where’s the money, where’s the business model around it. But we certainly are seeing a number of those sorts of plays.

Rachel

Well the thing that I think is quite interesting is, or the thing that I know nothing about, but I’m completely intrigued by is that I believe the Estonian government also they have a lot of digital services that they’ve spun up.

John

They do, they kinda positioned themselves very much as the world’s leading digital government.

Rachel

Exactly, and I think that that’s interesting because what it led to in this case is that you have a government I.D. which is a digital identifier. And people have little card scanners and they scan a card to identify themselves in order to engage in sort of activities associated with their identity. And I think this is quite interesting because it, I mean, first, it points to a huge shift and it points to us, as designers and engineers kinda becoming these gatekeepers to these digital spaces. And that sort of shows the importance and the impact of this work, but at the same time I think it’s also interesting because it means that everybody is gonna be online. And so the more people come online, the harder it is to say, “Oh well, humans are the weakest link,” and the easier it becomes to say, the more it puts designers and engineers into a position of power to say, “Actually, humans aren’t the weakest link.” We need to have responsibility, take responsibility and do work to improve the human experience of security, otherwise, the risk is too great.

John

So, I think that the experience in the United Kingdom has gone down. It’s almost the opposite of the Estonian. Instead of having a centralized, single government provision of identity, they’ve actually outsourced it.

Rachel

Oh, I didn’t know that. That’s interesting.

John

Multiple, multiple companies can provide identity services.

Rachel

Oh, very cool.

John

And I think, we had Tom Loosemore, who was kind of the deputy director of the GDS for quite some time in the U.K. come and speak at one of our conferences last year and talked a little about these. And, I think, part of the reasoning is, well, we don’t have a single point of failure now.

Rachel

Which is very smart.

John

Like if we’ve got like 10, 15, 20 providers, one of them gets hacked, it’s not like we lose all the national database of identity. We still lose a lot and I think that’s maybe not a super strong argument for doing this because, the fact is, if you lose even a twentieth of the entire national identity database.

Rachel

It’s a risk.

John

Yeah, seriously bad thing’s gonna happen there. But it is interesting that that’s the model they’ve taken there. Australia is actually probably three or four, five years behind GDS and Estonia in terms of their adoption. And it remains to be seen which of those two directions we take. Are we gonna have a centralized provider? Although we have had a rather poor experience with online government identity provision in Australia.

Rachel

Oh dear.

John

Both around security challenges, also around the whole thing just falling over and especially at peak times like taxation, main taxation filing times where a lot of angst and anger is generated. So, we’ve sort of had this our first go at it and seem to quite work. So it’s kinda interesting to see what comes next. Let’s perhaps finish up with some key takeaway. I mean, our audience is often people, whether decision-makers, they’re engineers, they’re designers, you know, in the world of the web and so on. And so many of them, whether they’re in banks, or media, whatever they’re doing, will have some idea of identifying and authenticating users. Rather than thinking about kind of the gold standard, up here, some future thing, which is still certainly emerging and hopefully we’ll hear a bit more about from you at the conference. What are some of the really, really terrible things that people are still doing, like sending passwords in clear. What are people still doing that you think, like here are the two, three, one thing you could do right now, if you don’t do anything else, just either don’t do this if you’re doing it, or do this, whether it’s TLS, I mean, where are you around TLS? Do you think that’s where people should really be heading? Would that bring a lot to the table? You still out on TLS, not quite sure?

Rachel

I’m just thinking about really what is it, the one, what is the one thing that we could do?

John

What are people doing that they shouldn’t do? Don’t send email, but people still send passwords in the clear, like major corporations still do that, right? So, don’t do that people.

Rachel

There’s too many things, there’s too many things. You know, there’s so many things that people do. I’m thinking more about what could designers, what could engineers do to improve the experience of their products with regards to security. To be honest, I think that the smallest change, and the most important change is about communication. It’s about, if people have to create a password for your product, then are you communicating clearly what it needs to be? Very, very basic things. I think the more friction that exists around security experiences, I think the harder it is for people. I think all these problems are so complex that there isn’t a single, simple solution. It’s all about the details. It’s a design problem and it’s about creating an experience in which every step of the way people have a good understanding what they’re supposed to do. But I’m thinking about a great example and I’m trying to remember whose web site it belongs to and I’m embarrassed that I cannot. I think it might be MailChimp, perhaps. They do a really great job about communicating the security of your password.

John

So, in terms of you putting in 1-1-0-0, for example, they tell you?

Rachel

Yeah, they show you with color. So is it red, or green, or yellow? And they explain to you in simple, human, understandable language like what can you do to change it to make it fit? And I think that that’s fantastic.

John

I guess that doesn’t solve the problem of how they’re gonna remember that, right?

Rachel

Absolutely, the big part of the problem there is, there still is not a good solution for passwords. There’s a fantastic XKCD comic where it says we’ve taught people to remember passwords that are hard for people to remember but easy for computers to break. I think that’s very insightful. I’ll stop just short of advising that everybody now changes their passwords to sentence long, you know, to mymonkeylikesbananas. But I think, what I love about that comic is that in a very, insightful way, looks at the problem and says, “Hey, here’s what’s wrong with this.”

John

It literally changed all mine. I approach passwords completely different having read that comic.

Rachel

So, what I want people to do, I want designers and engineers to do, is to look at all of their systems with that eye. And say, “Is this really working for people?” And start proposing solutions and start not just addressing other designers but addressing each other, engineers and designers and then addressing product leads, addressing management with this matters. Here is how this can impact our organization, our country, negatively, and here’s what we need to do to change it. Because I think it’s gonna be a long fight to improve.

John

All right, thank you so much for that. I really look forward to what you’ve got to say tomorrow. Thanks for coming all this way and sharing some of your wisdom around making that experience of security–

Rachel

Thanks, thank you for having me.

John

You’re most welcome. Thanks a lot.

Rachel

Cheers.