Here, our resident and highly regarded cryptographer, Dr Michael Scott, reflects on the initial introduction of secure verification on the internet - and considers the challenges it still faces when competing with user experience.
When the internet was first invented, security wasn’t high on anyone’s agenda. The application itself was far more exciting and ground-breaking, and security could wait. It apparently came as something of a surprise when email was first abused by spam. A rudimentary Username/Password mechanism was recycled for authentication purposes and people concentrated on the more interesting stuff.
As a naive young computer scientist with an interest in security, I was confident that as things developed we would learn from our mistakes, and security would in future be baked-in from the get-go and not bolted on as an afterthought. Next time we would get it right.
I was completely wrong. Nothing of the kind happened. Security is and always will be an afterthought. The application and the associated user-experience always comes first, because they sell the product and make the money.
And unfortunately security almost always impacts user experience in a negative way. An exciting new internet experience is inevitably tainted when we get to that page which demands a username and yet another password to manage. And every time we re-use the same password we are chipping away at our own security, and we know it. If you thought about it – and your worst enemy discovers your favourite password – you wouldn’t sleep so well.
There are a few reasons for this. Indeed the current pandemic teaches us a thing or two about security. Only when security or health becomes an issue for oneself or ones immediate social circle, does it become important and real. As a work-around we all turned to Zoom in order to continue to communicate.
And Zoom is a very good example of what I am talking about. It took off based on a really slick user interface. Initially its security was woeful. Some people got Zoombombed, which is a really bad experience. The company scrambled to fix the problems and bolt on end-to-end encryption. But competitors who took security more seriously from the start didn’t do nearly as well. You sell a product on its features and its user experience, not on its security. This rule even applies to security products!
So the trick is to provide rock solid security, while ideally not impacting the user experience. Like in the movies when the hero walks out of his car in mid-town Manhattan, and doesn’t bother to lock the car. Or like walking out of your house with the front door and windows left open, but yet somehow feeling assured that your security will not be violated. It’s a big ask.
For now we might be content just to do better. To provide stronger security with minimal impact on user experience. And that is exactly what our M-Pin product does! It is easily “bolted-on” and now you only need to remember a 4-digit PIN, an experience we are all much happier with.
Dr Michael Scott is Chief Crypto Officer at MIRACL, one of the pioneers of Pairing-based Cryptography and the “S” in the widely used BLS and KSS families of elliptic curves. Following a distinguished career of almost 30 years at Dublin City University and an active consultant to both public and private sector, his unmatched depth in knowledge is drawn not only from his academic expertise - he’s published over 100 highly cited papers – but his genuine love of cryptography and the science behind this.