Open question: How much convenience are you willing to give up for security?

As multi-step security measures become the norm, consumers need to exert more effort.

questionmarkSecurity measures to protect online information increasingly require end-user involvement. As an example, Google recently introduced a 2-step verification process. It certainly offers an additional layer of security, but it doesn’t come easy. According to the instruction page:

  1. When you want to access Google products from your browser, go to that product and enter your username and password.
  2. You’ll next be prompted to enter your verification code, which you’ll get from your phone. You’ll only have to do this once every 30 days if you so choose.
  3. Soon after you turn on 2-step verification, non-browser applications and devices that use your Google Account (such as Gmail on your phone or Outlook), will stop working. You’ll then have to sign in using your username and a special password you generate for this application. (Don’t worry, you’ll only have to do this once for each device or application.)

So, every 30 days, the consumer must get a new code from his or her mobile or landline phone in order to access Google products. The security is increased, sure, but at what cost to the consumer? Someday, at the other end of the Way Forward machine, we’ll be able to use the new encryption key for the quantum Internet to manage all our security needs. But for the time being, a couple of questions come to mind:

  • How much convenience are you willing to trade for increased security?
  • Should the responsibility fall to the consumer, or should companies work harder to create secure systems?

Please share your thoughts in the comments.


tags: ,
  • Rev. Brian Scott O'keefe

    I currently use an ‘Authenticator’ to play my online games with Blizzard. What this means is I first sync my iPhone app with my Blizzard account. Then whenever I sign on to play or access my account, I have to enter my password and then open the app, which generats a KEY that I type in and voila… I am live.

    I would happily do this for all my online sites where I have financial risks involved.

  • Self-reports are notoriously error-prone, and I suspect that the discrepancy between intentions and actions regarding convenience and security is wider than in many other dimensions of human behavior, especially given how poor we generally are at accurately assessing specific risks.

    Although I’m sure you’ll get some interesting comments here, I think it would be more interesting to see whether Google – or anyone else offering additional security measures – reports adoption rates and/or rejection rates.

    And if anyone knows of any reports of adoption rates of enhanced security for other web services, please do share them.

  • Companies should work harder to create secure systems as they thoroughly understand the data security risks and how consumers interact with and use their applications, systems, etc. There are so many personal devices in play and now with mobile transactions on the rise, way too many opportunities for security breaches.

    One way or another, when a security breach does occur the onus is always on the company to address it so why not treat security as a prerequisite during the development and testing phases? That being said, I have to say that although I consider myself pretty well informed about data security issues, when I first read about Google’s 2-step verification process my initial reaction was could you have made this any more difficult for people operating in the real world to use? Come on! The smart, talented engineers at Google fell down on this one.

  • Mac Slocum

    Speaking as someone who uses 2-step verification — and who takes security pretty seriously — there have been a number of times where I’ve come close to turning it off. I don’t because I know it’s a good thing to have in place, but oh my can it be a pain sometimes. My personal adaptation has been pretty severe, and I imagine many others would be far less inclined to use this sort of security.

  • I use 2-step verification for GMail and I believe the Google way of doing this is just great! I’m really happy this is possible and I would use it for all the websites if possible.

    I’m also using unique passwords for all my accounts on the internet in order to avoid being exposed to the security risk of password reuse.

  • John

    Users never want to do anything extra. That’s human. What really motivates anyone is the end exposure risk. Hence it depends on application that we are trying to protect. Let’s take two cases as below:
    1. Gmail: who cares if my email is hacked? Sure I might have some secret/private emails that might be exposed (like Sarah Palin’s). Is it the end-of-life? Absolutely not.

    Now let’s closely look at half-hearted (a**ed) job from google. Once you prefer to go thru 30day phone factor (I.e., one time access code delivery and plug-in into login credentials), you are essentially using a cookie that can be stolen by sufficiently motivated hackers. Now why is google offering to have this 2factor option invoked every 30 days? Answer: they themselves know very well its a pain in the a**.

    Let’s look at a different application, online banking: they are stuck with passwords. Having 2nd factor scaling to millions of accounts is simply riddled cost overhead and pain to the consumers. But they (banks) are somewhat motivated to push their users to adopt something they want. I do banking with chase and its really irritating and pain to go over my 1hr delayed email for the access code and I don’t want to pay for sms txts and have my cellphone ready. Moreover “zero-liability for anything stolen from my acc” is misleading and doesn’t give me sufficient motivation to do everything in my capacity to protect my acc.

    There you go! My 2c.

    But there are other solutions without the 2nd factor inconvenience and zero footprint solutions. One such story you may want to follow:

    Again if anything users do as a second nature thing, will most likely be adopted. IMHO.