Let’s face it: Security is tedious by nature, and it has been since long before computers. Ancient cities were ringed with walls and visitors had to pass through consecutive gates to enter the bustling heart, and you can bet everyone got tired of opening and closing gates. Digital and mobile security are exactly the same. It’s all about being willing to lock more gates than the attackers are willing to break through.
The problem is that accessibility is almost always achieved by accessing security. The features that make modern software and apps more accessible to the users also potentially make them more accessible to hackers and unauthorised personnel as well. There is an incredibly fine line between making the login process easier for the intended user and negating your security measures entirely.
Over the past decade, we’ve seen an evolution of ideas to approach this accessibility-security challenge. No doubt you remember the increasingly complex password requirements and progressively shorter log-out/lock-out inactivity durations. What we discovered is that professionals hate jumping through hoops and customers won’t put up with it. By creating technically secure software, you could find yourself losing business to less secure companies that were also less of a pain to log-in to.
This led to the auto-login era. Currently, nearly every business and consumer app on the market is willing to leave users logged in indefinitely and/or ‘remember’ their passwords so that login requires no more than a single convenient click. While this is admittedly easier to use, it is also overwhelmingly insecure. No matter how much encryption and other security measures are built into the app, anyone with physical access to a user’s computer or device can log in as if they were fully authorised. We have again swung away from security in favour of accessibility.
So how, exactly, can a software developer design an app that is both effectively secure against prying eyes and phone thieves but also doesn’t annoy the living hell out of your users? Mobile device soft-keys are not well equipped for password security, but the new technology also opens the door to new forms of authentication and security. It’s time to get inventive.
The first step to app security is a step backwards. We must stop allowing users to stay logged in indefinitely or to log back in without re-authenticating. Otherwise, anyone with access to a user’s synced browser account or physical device will be able to abuse their authentication.
Visual passwords are growing in popularity because they don’t bring the same tedium as text-based passwords. A visual password may include drawing a sequence of lines in a grid of dots, selecting a collection of images from a large collection, or touching/clicking specific items in a busy picture like an eye-spy game.
The reason visual passwords are so appealing is that they are more like mini-games than traditional passwords. Even if a user must log back into their phone or workstation a dozen times a day, a visual password is more enjoyable than tapping out a random collection of letters and numbers.
Modern mobile technology has also brought high-end security procedures into everyday life. Many modern smartphones are equipped with the ability to recognise users by their eyes looking into the phone camera or by scanning their fingerprints. These are near-instant authentication methods that are very difficult to spoof meaning that the causal phone thief or family member borrowing a device won’t be able to access secured apps and data.
Finally, the rise of smart homes and voice search has also re-introduced the idea of using vocal authentication. Specifically, the ability to say a key passphrase in the same tone and timbre of the user. Some users even choose a song because everyone’s singing voice is unique.
—
Each of these alternate methods of authentication are less irritating than tapping in a traditional hash-style password, especially using mobile devices. If you want your app to become both notoriously secure and enjoyable to use at the same time, break away from traditional passwords (or only use them as backup security) and embrace cutting-edge authentication methods that feel more like a game or a conversation. For more tips on app security and design trends, contact us today!
Posted by Chris Garrett on 3 January 2019
