Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Good morning, everybody. How are you doing today? Not to sound dramatic, but I gotta make this quick because I'm not sure how long I have. They're running fiber in my neighborhood. Yay, but it's insanely loud because they've got a bunch of machinery out, um boring new holes, fixing some stuff up um with the infrastructure and it has just been like reverberating loud for the last couple hours as well as uh the last couple days.
So um just double checking because I'm back inside everything's looking good. Um What I want to talk to you today is about um triggered off one of the announcements that came out from Google next, which is Google's cloud conference around Google cloud, which is primarily Google cloud platform, um some Android stuff, um some uh chrome, some maps which are technically under the Google cloud as well as G suite.
Um but mainly focus on Google cloud platform. But one of the announcements I want to talk about was a little bit more niche um which is the new Google Titan security key. This is a physical device that provides authentication. So instead of typing in a code, if you've got the device connected to.
If you've got your key connected to the device you're working on, it will do the two factor authentication in the background for you very similar to the key, which is available to everybody through a bunch of different stuff now. Um And there's, there's been a little bit of not controversy but a little back and forth between Google and UB key.
So previously Google used to push UB key as the supplier um for um uh secondary keys for G suite um which was great UB key is a fantastic device. They've got a couple of different models. Um They work real well.
Um UB key was not involved in Titan and obviously creating Titan has a business impact on UI key. But Titan made an interesting choice in that they've enabled not just NFC and USB connectivity, but also Bluetooth and this is something that UI key has avoided.
And in fact, they made a statement this week publicly saying that they decided not to do it because of usability and because of security concerns around Bluetooth. And it's true, Bluetooth is more complicated. There's more that can go wrong um from a usability perspective, also from a security perspective, but um some people have jumped on board um and a round two factor in general, spurred by this question of, of uh Titan.
Um and there's a lot of interesting statements, there's a lot of stuff that's accurate but not with the perspective I would like to see applied. So one of the things or let's just clear the ground or clear the air, let's just level set here.
So two factor authentication or multi factor authentication more accurately means in addition to your user name and password, you also have something else. Normally that's going to be something you all or something you have. So a biometric or an app installed and synced up with your account that's generating a random set or a mostly random set of characters that you type in as a one time access code.
Now, some other companies have gone the route of instead of using an app or a hardware token, they will text message you a code or email you a code to a trusted account. Now, there are disadvantages to those from a security perspective, but there's also advantages from a usability perspective.
The challenge here is finding a balance now, Google is going for scale and that's super important to keep in mind. Google G suite has millions and millions and millions of users and the more users that turn on multi factor authentication, the better off those users are gonna be.
It's no question that turning on multi factor authentication is a huge improvement in account security. The challenge is getting people to do it. Passwords suck. People hate passwords asking them to do yet. Another thing makes it really, really hard, which is why the key solution is a really interesting one when a key is plugged in or when it's connected to the device, that second factor just happens in the background and it reduces that burden on the user, which is a huge win.
It's far more usable. But you still have to remember to bring the key with you. And in fact, not interacting with the key can make it even harder to remember to bring the key with you. So there's no easy solution here.
But the push back on like text messaging ends up being well, people can intercept text messages. Yes. Theoretically they can, there's no attacks. It's not insanely difficult, but it is something else you have to do. In fact, I saw a tweet this morning that said two factor doesn't even really stop you.
If you're being fished by a good opponent, they're gonna fish your user name and password and then they're gonna realize that there's a prompt for two factor. They're gonna push um to get that two factor uh code from you as well.
Um Which is true, but that code is only valid for a certain amount of time. And that's sort of the advantage of tokens. Those codes rotate. Um normally every 30 seconds versus an S MS message which gives you a defined set, you know, a couple of minutes.
But still, it's better than nothing. And I think that's what people lose in general when it comes to usability and security. And this is where I, you know, go with the title of the episode for reasonable um decisions and reasonable actions is that nothing's perfect.
There are no perfect security measures. You will never attain 100% secure, whatever the heck that would even mean. Um But what you need to do is take reasonable actions that will improve the security of your users of the data.
They entrust you with um multi factor very, very much improves the security and it's a low burden now, everything that we can do. And this is a great um There was a great quote from Google's product manager around Titan talking about anything they could do to reduce the usability or sorry to increase the usability and reduce the burden on the users was a win.
And I firmly agree with that that applies not just to security keys but to everything in general semi tangent. I was speaking at CS Comp uh in San Francisco next week and I was getting my slides ready and I was going to use an example of security failure and it's just too depressing to use.
I was mapping out the user flow for when in a browser you're confronted with a bad um SL certificate, there is no way any reasonable user will be able to make an informed decision when that happens. It's ridiculous. It just keeps prompting you, prompting you, prompting you.
It's bad UX. It's absolutely bad UX. It's UX design from uh uh under under a lack of understanding of the problem space. Um and it makes things less secure because now users are making um uninformed choices. They're simply clicking to get rid of things.
That's a bad usability design when it comes to security keys, having them um interact with the system in behind. So if it's physically connected or if it's, you know, wirelessly connected, the user not having to do anything. That's awesome.
They just type in their user name and password. And that second factor is provided by the system locally securely automatically without the user worrying about it. That's amazing usability. And there are still challenges around remembering the darn physical key.
But then, you know, even pulling up an app or getting a text message with an additional code, that's a minor, minor bump in usability, it makes it a little more, a little harder to get on the system, but the security win is huge.
And I think that's something we don't relate to users nearly as well. How big that security win is. But that's at least we're making progress along multi factor authentic usability. There is a massive debt, uh usability, debt, design debt around security in general.
Um It's interesting to see the aspects of this bubble up right here. What do you think? Let me know online uh at, at marknca um in the comments down below if you're watching the vlog. Um always by email me@markn.ca your comments, your discussion drives the topics for this show.
Um I keep getting a ton of great questions from people trying to get started in cybersecurity. I do read them all. I'm trying to get back to individual responses, but I will keep broadcasting topics here. I've actually created a new playlist on youtube just for how to get started topics when we do cover them on mornings with Mark.
So, keep those questions coming. What, uh, the big one for today? Usability and security. Where do you see the balance? Where do you see the tradeoffs? Are people making better, more reasonable decisions when it comes to security? Yeah, I don't think so, but I'd love to hear what you think.
Have a fantastic day. Um, I will talk to you on the show tomorrow.
