Friday, December 22, 2006

Putting emotions aside.

Today I was talking to a friend of mine about a project I'm working on and the PKI in general. We analyzed the current issues concerning end-user security, whether it's an ATM PIN or a website's login. We agreed that the common one-factor (password) authentication is just about to expire. The world needs something better and by this I don't mean "stronger" passwords because this usually increases the complexity of the token one has to remember, therefore compromising the safety of the system. So we were sitting there, drinking coffee, talking about it and suddenly my friend said:

When it comes to security, emotion must get out of the way.

By that he meant that we should eliminate the human factor. The actual words he used were so interesting that I thought they were worth mentioning here. He spontaneously revealed the reason humans are the always the weakest link in a security chain. It's not because they can't count high enough or work 24/7. It's because they have emotions that can drive them out of logic's way and make them do things they will later regret.

Those emotions will make them "help out" a beautiful girl, sympathize for someone pretending to be their colleague or express unreasonable behavior under fear or stress.

By eliminating the human factor we eliminate fraud (OK, maybe that's not entirely true). Computer's never doubt. Their decision making mechanism is binary, something is one or zero, true or false.

Of course computers are products of humans so there you have it again, the human factor. So maybe it's not that easy to get rid of it but surely can contain it in groups of specialized people.

It's one thing having a security expert taking care of your safety and quite another You being solely responsible for it.

So the next time you read a security policy for a service, search for the You-Are-Responsible-For-The-Safety-Of-Your-Account paragraph. Don't accept it and look for something more serious.

No comments: