Can anyone make security cool?1
I made my first Internet purchase in 1993, a T-shirt for the nascent music-sharing site IUMA (Internet Underground Music Archive). The founders of IUMA, all from the University of California, Santa Cruz, had thought a lot about their venture, and understood many things about the Internet, the law and risk. First of all, IUMA didn’t put any copyrighted music online. It was all about giving un-signed musicians a chance to get heard in glorious “MPEG sound” as my fabulous T-shirt reminded everyone. But even when selling me my T-shirt online, they were careful to point out on the form their belief that sending credit card numbers over the Internet was too risky, so having filled in the form, I was given a street address where I could mail my check for the T-shirt. Not exactly one-click buying.
It took about ten years before Internet commerce really began to take off, and seemingly, convenience has been an important factor. How easy is it to check out? How easy is it to pay online? Vendors like Apple and Amazon ask us to trust them with our credit card numbers just to make it that much easier to impulse buy that copy of “Get Lucky” for our smartphone.
In fact most successful Internet startups are very focused on looking after their clients in ways like this. Usability studies, responsive design, A/B testing and a culture of metrics are all part and parcel of any new venture. But security? Everyone seems to default to user ID and passwords, despite the recurring instances of data breaches. Why is it that Internet services can be so worried about details like the font you see on the tablet version, but treat the authentication process as an afterthought?
I think that what we need is for the sign-in process to become visually arresting, to have a front-end bit of eye candy that says “We are doing more about protecting your identity.” In short, to make security cool.
Then, like responsive design, people will want to show you how neat it is to use this new service. Security and convenience need not be mutually exclusive, and like design shops that offer responsive design, there is a need for expertise that can integrate easily into any project. Gemalto offers an SDK (Software Development Kit) for mobile banking that does some of this, but we (and others) need to do more.
IUMA was shut down definitively in 2006 after several years struggling to find a place, and my T-shirt should have been turned into rags years ago. But they knew some things back in the early 1990s that are still valid today and, as security breaches become more commonplace, it feels like the time is right for security to become the new cool.