In this post, I will be using an edge-case to demonstrate a point. If you are uncomfortable with that, please stop reading.
Irony alert! This blog has a re-CAPTCHA system in the comments, also easily defeatable (thanks to the person who keeps proving it... now stop). I think this further illustrates the point, don't you?
I just failed the human test... what?!
You know "security" has lost its way when you try to perform an action and the validation piece to make sure you're human, the bit that is meant to keep the 'bots and scripts' out, isn't possible to complete.
Case in point, this screen capture:
Wait ... is that ... hieroglyphics?! What language is that 2nd part? That looks like 3 stick figures to me, what about you?
I know, I'll click the little speaker, which should say the second part, and I'll just easily write it down ... right? Wrong. It's a robo-voice that is absolutely unintelligible... no clue what it said.
While I realize that this is just one example of really bad security, it made me stop and think. This is the direction we're headed in... the next time you say something like "users are just too stupid to understand our uber-good security" ...remember this because I asked on Twitter (a reasonable representation of smart people) and not one person had any clue what this was. I did get some hilarious responses though (shared at the end for comedic relief).
Before you start writing your reply about how this isn't the way all security is done, I already conceded that in the first sentence of this post ... I realize this is a crazy edge case. But think about how often you've encountered security measures that don't allow legitimate tasks to be performed because we've made is so gosh darn hard.
I'm sure if I clicked the refresh button enough (I clicked it 3 times, they were all ridiculously difficult to guess) I would find something in that 2nd part I could make out - but that's the point isn't it. Why should I have to keep clicking refresh until I find something that's easy - isn't that what a bot or script would do? Does this conclusively prove this re-CAPTCHA has failed?
On a more general note, this is a trend many of us in the industry have talked about as a dangerous path to our own demise. In an effort to thwart the 'bad guys' we've escalated the path to more and more ridiculous work-arounds ...like this re-CAPTCHA for example. We're in effect accelerating our own demise. Every time a consumer or customer (dare I use the word, "user") sees something like this they get frustrated and curse "those security people" for making the system unusable. Some of the consumers of these increasingly ludicrous contraptions are simply walking away. I had a shopping cart here, and I got so frustrated I simply quit and went to a different site which I didn't have to guess what appears to be glyphs on.
Security must be friendly
If you're still arguing that we need to 'force' security onto the user, you're probably someone who sees nothing wrong with getting a few of these and having to cycle until you find a readable one (or guess-able one). You probably don't care that a good percentage of your consumers will simply give up and go elsewhere ...or if this is an enterprise application they'll simply find another way.
This is wrong, simply put.
Security needs to be simpler on the well-meaning human than we are making it. Oddly enough, FaceBook's secondary validation system is really good at this... you've probably seen it once or twice because you are human and aren't trying to create a thousand accounts at once, or log into someone else's account. The notion that you need to 'challenge' everyone is silly in the vast majority of applications and will result in a rebellion of the consumer. In order to find that balance you need to inconvenience as few people as little as possible, and this means admitting that some baddies will slip through ...but that's within the 'tolerance'. By the way, your tolerance can't be 0.
Before I get that re-CAPTCHA which I have zero chance of getting right, I should have tripped some sort of 'sensor' that tells the system I'm likely not human. Maybe I fly through pages too fast. Maybe I drop into the application registration page without going through the landing page first. Maybe I simply add to cart, check out without registering from the same IP address more than once in 10 seconds ...you get the idea. Also, maybe we dump this insane re-CAPTCHA for something that a human has a chance of getting correct?
I have to wonder ... how many security walls like this are there out there that consumers/humans can't get through, but hackers and scripts/bots blow through no problem... way to go guys.
Yes, this is an edge case. I acknowledge that, most security isn't like this ... yet. Whether we keep pushing for more insanity like this is up to you the practitioner, designer and architect. Please stop the insanity ... please work very hard in 2013 to make sure your security is usable, and friendly.
Comments welcome! I especially want to hear from you if you have examples of insane security that's unusable and/or failing at 'security' goals.
Also ... this year I'm starting a new blog 'label' ... "relevant security" for those posts which just go to the heart of this matter. I hope to have several guest-posts on this topic!
-Some hilarious responses from Twitter friends-
Trolls will not be fed.