Computer Security:
More Carrots, Less Sticks
The following article was written in collaboration with Luis Lubeck, who is a Senior Project Manager and Educator at Resonance Security. This is not just a theoretical article: at the end we provide ten different approaches that can be used to improve online user account security!
(Audio version available here: Spotify podcast)
Web2 has a problem, and although it is of the same magnitude as the problem faced by Web3, people haven’t really noticed because it has crept up on us over the last two decades.
The problem is the complexity involved in securely participating in Web2 systems, such as social media, streaming, online banking, and so on. It is about logging in, and it’s a nightmare.
Web2 versus Web3
Here’s a quick and simplistic recap of the difference between Web2 and Web3 — in the former a third-party keeps your details and “your” assets on their server, and permits you to use their services. In Web3, you manage your own details and your own assets. A third-party offering services can still block you, but they can’t take your stuff away from you. (I did say it was simplistic.)
And so Web3 logins are considered complicated and risky, because you have to guard your private keys yourself, and Web3 logins are unfamiliar to most people, as they have never used a blockchain wallet.
With Web2 the login systems and concept of an account are more familiar, and familiar stuff always seems simple. Furthermore, you’ve outsourced the losing of the “keys to the kingdom” to a third party. They’re probably going to let your login details be stolen at some point, but at least you won’t be blaming yourself!
What do I mean by “familiar stuff always seems simple”? If you have a look at the hoops you have to jump through you’ll understand what I mean. Here’s an example of the kind of password requirements you see online:
Your password must be at least eight characters long, and must include both lower and uppercase letters and at least one number and one special character.
In my twenty-five years online, I have managed to memorize a collection of such passwords, most of which I can no longer use because of data breaches.
For your most important online accounts you may well have:
- a long unmemorable password of gibberish and symbols,
- an authenticator app on your phone,
- an email account that an access code is sent to, and
- a scrap of paper in your wallet with sixteen recovery codes printed on it (three crossed out, but five used).
Boy, you’re gonna carry that weight
Security imposes a burden on the user, and over time our approach in the world of online computers has been to bolt on more and more security functionality to protect our secrets. Asking people to remember things, make choices, and interpret what is put on the screen in front of them requires effort on their part.
It is unlikely that you would ask one of your clients to perform ten push-ups before allowing them to log in to your service (unless you are providing a fitness app, I suppose). And yet the network of bolt-on security contraptions we have deployed for the online world in the name of improved security is doing the mental equivalent of just that.
And every few years, we add ten more push-ups, or star jumps, or squats.
There is no immediate upside to the user. True, if their account is hacked or their identity is stolen, then they’re going to wish they had chosen a stronger password or enabled two-factor identification, but in general, people are not good at anything involving deferred gratification. And security is like an inverted version of deferred gratification — put in a lot of effort now and then again and again, and you may avoid the disaster of being hacked.
Introducing the stick
The way we encourage users to be more secure is with sticks — through force. Just today, for example, I received an email from Github concerning my throw-away account that I use for experiments. I am told that I must upgrade to 2FA, or I will no longer be able to access my account.
I already have forty-four 2FA accounts in my Authy Authenticator app. And five hundred and three entries in LastPass. Am I going to add that Github account? Unlikely.
A redesign from the ground up for Web2 is probably an impossible pipe dream at this point in time, but is there anything we can do to make the login process less burdensome? Or, at least, somewhat rewarding?
Yes, there is, and it involves carrots instead of sticks. As anyone with children knows, to get them to tidy up their room, you can threaten them with punishments, but rewards are far more effective. And they don’t always have to be material rewards.
Replacing sticks with carrots
And so this is what Luis and I were brainstorming about: in what ways could we incentivize the user to be more secure? Here is our first attempt at a list of suggestions to consider.
Badges or other status symbols
People appreciate being a “top voice” or “significant contributor” on a social media platform, provided the accolade is publicly visible. Consider adding a badge for being security conscious or making showing the other status symbols contingent on the user following proper security processes.
Competitiveness
Related to badges, turning logging in into a competition might help. Human beings are innately competitive. Being told you are using fewer security mechanisms than 87% of the users one day and then discovering that you are in the top 10% the next day once enabling 2FA and downloading backup codes might be enough to push a significant number of users into finally taking those vital steps.
Community recognition
Extend the idea of badges and competition by creating a community leaderboard that showcases users who consistently maintain strong security practices. Recognizing and celebrating these users can foster a sense of belonging and competition within the community, for example, in big companies or worldwide teams.
Valuable rewards
Everyone likes getting stuff for free. Cash, tokens of value, discount coupons, and so on are all incentives that can be offered to get users to comply. If your COO complains about the cost, tactfully point out the expense of a) losing users who don’t see an upside in adding 2FA to their account or b) mopping up after a data breach.
VIP status
Ever stood in line at a nightclub or when boarding an airplane only to watch the first-class ticket holders or those on the list waltzing past you? The same can apply to online security: users who follow the instructions to secure their account can be given faster access, connected to faster servers, or provided with other priority services. Think load balancing based on who is logging in.
Recognition messages
This is very simple, but by popping up a brief message for those who are taking more care with their approach to security, congratulating them on their proactive attitude, you can reinforce their behavior elsewhere.
Group incentives
Provide some or all of the rewards above to people who encourage other people to use proper security protocols.
Exclusive content access
Reward users who engage in secure behaviors by granting them access to exclusive content, features, or services. This could be premium content, early access to new features, or enhanced customization options. The allure of unique benefits can encourage users to prioritize security.
Charitable donations
Partner with charitable organizations and allow users to earn points or rewards by participating in secure practices. Users can then convert these points into donations to their preferred charities. This approach adds a philanthropic angle, giving users an additional reason to engage with security measures.
Security-themed challenges
Create periodic security challenges with capture the flag, or similar tasks or quizzes that users can participate in. Upon successful completion, users should earn rewards or unlock unique features based on some of the previous pointers we have given you. These challenges can gamify the security process, making it more engaging and enjoyable for users.
Conclusion
Note that this is not just about the various bolt-on security systems currently available — consider other areas where security is important but is skipped. For example, you can measure the user’s dwell time when they are asked to confirm whether they want to share a document with an outside email address. Are they giving it some thought or just clicking “share anyway” within microseconds of the dialog popping up?
Reward them for the extra time taken.
With a bit of thought and by looking at the current setup for your website or service, I am sure you can find all sorts of workflows where encouraging your users to put in a bit more attention will make you all more secure, especially if it is in their immediate interest to do so.
Feel free to share your insights and suggestions! I’m not saying that we can turn security into an amusement park, but with some work and imagination, we can make it less like filling in a form at the Department of Motor Vehicles.
And in the meantime, why not contact Resonance Security to start improving your security today?
