Security has become too complex

9 min read

Take a look through any internet security forum and you will find a ton of debate around the right way to stay secure online. For some that means using a password manager that never touches the internet, and handling the backups yourself. For others, this means the expertise and infrastructure that comes with a cloud option. For MFA, a hardware security key used to be the absolute best answer, however with passkeys now entering the mix, there is renewed debate around how necessary these devices are. Regardless, all of this makes very little sense to the average non-technical user, and that’s a huge problem.

When people do not have any clue what is going on, they tend to revert to doing nothing at all. Most of the cybersecurity breaches today are not technical in nature (such as a certain encryption protocol being broken) but rather human in nature, in which people get phished, tricked into installing malware, or use the same credentials in multiple places. Telling individuals to use the latest and greatest technical products is not going to help if they don’t use them.

Passwords

Every year, Bitwarden runs a survey asking individuals and companies about their password practices. In 2023, 90% of respondents stated that they reuse passwords across multiple sites, which could lead to one breach affecting more than one account. The solution to this (as perhaps suggested by the company behind the survey) is for individuals to use a strong and unique password for every site. Easy, “setup a password manager and you are good to go”, says the techie. However, from the end user’s perspective things are a bit more complicated.

For example, the first hurdle is to convince someone to get past the “everything in one basket” phobia, which does certainly have validity. In the wake of things like the Lastpass breach this can be a tough obstacle to overcome, evoking concepts like encryption and threat modelling. Sure, the risk of the password manager being breached exists, it is just less of a risk compared to using memory and the same password for each site.

Then there is the question of multi-factor authentication (MFA) on that password manager, which can be another challenge for people that are used to integrated MFA for their main accounts (as an example, google will simply send some digits to your phone’s gmail app). With integrated MFA the baseline experience for many, explaining that you need to install a separate application to receive a TOTP code just sounds like so much extra work. Multifactor authentication on password managers is a huge leap forward in one’s security setup, but it also increases the risk of someone getting completely locked out of their account. Developers and system administrators have backups for these codes or plans for what happens when they lose their primary device. Other users may fret the cost of the lost phone, then shrug their shoulders, not knowing that the TOTP codes may have been bound to that device (depending on the MFA app used).

Luckily, the bitwarden password survey also revealed that 92% of respondents were using MFA in the workplace. This gives hope in the sense that users are becoming much more familiar with the concept, however this also means that many users may have come to associate it with being a huge hassle. At work, MFA is something that is enforced upon users and the steps to implement it are prescriptive or performed automatically by IT. Additionally, when a work device is lost, the employer can ultimately reset the necessary switches to allow a given user to login again to enterprise applications. The same may not be true with personal accounts; try getting Google to give a hoot when you call support and tell them you have lost both your password and MFA, you are literally one in a billion.

Managing backups

Having accounts compromised sucks, but it usually only happens one at a time. At worst, maybe ten at a time if passwords are reused. Imagine losing access to everything at once, if one cannot get into their password manager or forgets the super complex password they were advised to use for their email. Backups to the rescue? Only if such backups exist.

After getting someone setup with a system, it is also essential that they have the skills to maintain critical aspects of the system. In the case of security, one important part of this is routine backups that are also secure. Password managers often have two options: either an encrypted backup that is tied to the platform itself, or a completely open file format like .csv which would then need to be handled with care. Options like veracrypt or cryptomator that may be used in tech circles are almost certainly off the table. In the example of a family situation, having someone setup things over the holiday period won’t be great if this also means that backups only occur once a year. Many accounts are created or changed over the course of the year, and losing access in November would spell disaster.

Notifying end users when action is required

Both google and apple now have programs that inform you if the passwords that you store with them have been found in a breach. Most password managers also have similar functionality. The problem is that those who receive these notifications don’t know what appropriate actions are required, and such messages may also come across as scams, as many phishing messages also mention something about passwords and urgent action. Furthermore, the concept of a hashed password being leaked doesn’t resonate. Users won’t think they are “hacked” until they are either unable to login to a service, receive an erroneous bill on their credit card, or notice a post that wasn’t authored by them on one of their social media apps. Changing passwords requires logging into a website and changing the existing password in the password manager (if one is used) or coming up with a fresh password if passwords are simply memorized. To make matters worse, if passwords are reused, this then needs to be changed everywhere. To someone that isn’t on the internet constantly, signing in and out of accounts, that just comes across as a lot of work. “Have I been hacked?”, “well, kinda”, “then let’s leave it for another day, I’m busy”.

Developers are responsible, not end users

If I walked into a restaurant, ordered a meal, and then the server says “first, can you explain how to cook this, where to source the ingredients, and what to do if the kitchen catches fire” I would look at them as if they had three heads. As a society, we exist in a structure in which expertise is siloed and individuals specialize. Nobody can be expected to keep up to date on the latest and greatest in every domain of expertise, and cybersecurity is no exception. Sure, employees at a company should receive training for how to avoid phishing etc, but as a tech community we also have a responsibility to make products that are easy to use and understand so they actually get adopted.

Using email as our internet username (something that I will perhaps write about at another time) and the universal nature of passwords has created a system where capabilities and requirements are distributed by site. On one site, you can only have a 12 character password that cannot include special characters, and on another you must use a dollar sign exactly twice (I joke, but you get the point). Password managers are a tool to help organize the chaos, but are a bandaid solution, and likely not the way an expert would go about things if the system could be re-imagined from the ground up.

Biometrics to the rescue

One of things that I am most excited about with passkeys is the possibility that a lot of this complexity will be abstracted and users won’t have to keep track of any of this. Their face and finger prints will be with them always, and so long as multiple devices are used with either Google or Apple then they will be good to go. The open source enthusiast in me squirms at the thought that both of these monopolies will be further entrenched in peoples’ lives, however let’s face it, many of these users are already in these walled gardens with no thoughts of switching anytime soon. If the benefit is increased security, with very little downside, then I count it as a win.

From all the difficulties explained above, I think that it is critical that passkeys are explained in a non-technical way by default. This transforms them from “a new security product that is fancy and complex” to “this is a step towards making your life so much easier”. The first scares people away, the second increases adoption.

Conclusion

It is important to have patience when dealing with family, friends, or coworkers when it comes to cybersecurity. Not only is nobody perfect, but the current state of things is incredibly complex. Explaining “so your password manager, which you sign into with your phone through your main password, then validate through email” is a difficult process to go through. Since the consequences of a breach are not always tangible (the old, “who cares, my info is probably out there anyways”) going through so many steps just because it is “best practices” may only be possible if the person you are helping trusts you enough to take you seriously. Working with them and meeting them where they are at is essential, because being 75% of the way there is so much better than never trying to improve anything at all.