Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Secure the experience, experience security

1.520 visualizaciones

Publicado el

Cyberspace is a scary landscape, and it is becoming scarier each day. While people stay (mostly) the same, the technology keeps evolving. In this talk we’ll discuss this challenge - How can we utilize effective UX design to provide a safer online environment? What can we do to make people feel secure? Which techniques enhance online security, and which common practices are ineffective and should be discarded?

Publicado en: Software
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Secure the experience, experience security

  1. 1. Secure the Experience, Experience Security Debunking Cyber-Security Myths Ran Liron
  2. 2. Virus, Malware, Spyware, Ransomware, Identity theft, Worms, Trojan horses, Heartbleed, Golden Ticket, Pass-the-Hash… Cyber Security: The Risks 2
  3. 3. Ran Liron Head of UX at CYBERARK And also… UX Program Lead @ The Technicon, Continuing Education Division UX Mentor @Google Launchpad Uxing for more then 20 years 3
  4. 4. 4 Data (mainly): Resources Regular Joe perspective Michael Mcintyre -
  5. 5. So….what do the Security Experts Recommend? 5
  6. 6. 231 security experts Where asked: The Result: 152 Security Advice… Security Experts Recommendations “What are the top three pieces of advice you’ll give to a non-techsavvy user”? Google research: 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users
  7. 7. Password matters Advice #2: “Use unique passwords” Advice #3: “Use strong passwords” Security Experts Recommendations Google research: 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users
  8. 8. At least: ▪ 8 characters. ▪ 1 lowercase ▪ 1 Uppercase letter. ▪ 1 special character (!@#$%^&*) ▪ 1 number (0–9) Common Password’s requirements 9
  9. 9. Common password display method: The problem: - Requiring strange, meaningless yet complex string - The user never sees the password So…. Very hard to remember. Defensive Tools: Password 10 ********
  10. 10. So what do users do? 11 They get… creative
  11. 11. keystroke strings 12345678 7777777 666666 password zxcvbnm 1q2w3e4r qwerty Pw123456 … 12
  12. 12. Keeping it somewhere “safe” 13
  13. 13. Keeping it somewhere “safe” 14
  14. 14. Keeping it somewhere “safe” 15 Or simply using the same password all over the net… 
  15. 15. Password Alternative Use password management Tools Accept it The solution? 16
  16. 16. Security Questions? 17
  17. 17. ▪Only you know your own history ▪ You don’t have to memorize it ▪ Users will answer truthfully If only we were … Security Questions: The Assumptions 18
  18. 18. Security Questions: The Experience Michael Mcintyre - Comedy Gala 19
  19. 19. only you know your own history? Security Questions: The Reality Nope 20
  20. 20. Security Questions: The Reality 37% admitted to providing fake answers, in an attempt to make them "harder to guess" 40% of our English-speaking US users were unable to recall their answers Google research – “Secrets, Lies, and Account Recovery: Lessons from the use of personal knowledge questions at google”
  21. 21. -22-
  22. 22. Security Questions Are Bad, Bad Practice! 23
  23. 23. What About CAPTCHA? 24
  24. 24. CAPTCHA: The Experience Michael Mcintyre - Comedy Gala 25
  25. 25. 26 Last week, I tried to login to Microsoft’s App-store…
  26. 26. 27 Acceptable alternative
  27. 27. The Experience of Setting a Password 28
  28. 28. Setting a Password: The Experience Michael Mcintyre - Comedy Gala 29
  29. 29. Setting a password: Instructing the user Set Password: Confirm Password: ******* Need to include upper-case letter! 30
  30. 30. Setting a password: Instructing the user Set Password: Confirm Password: ******* Need to include at least 8 characters! 31
  31. 31. 32 Last week, I tried to login to Microsot’s Appstore…
  32. 32. Don’t torment your users! all of the password requirements should be displayed together 33
  33. 33. Password criteria:  Start with a letter  Include upper-case letter  Include lower-case letter  Include special Character (!@#$...)  Include number  at least 8 characters Setting a password: Instructing the user Set Password: Confirm Password: ******* ******** Password criteria: ✘ Start with a letter ✘ Include upper-case letter ✘ Include lower-case letter ✘ Include special Character (!@#$...) ✘ Include number ✘ at least 8 characters Nope! Password criteria: ✘ Start with a letter ✔ Include upper-case letter ✔ Include lower-case letter ✘ Include special Character (!@#$...) ✘ Include number ✔ at least 8 characters Password criteria: ✘ Start with a letter ✔ Include upper-case letter ✔ Include lower-case letter ✔ Include special Character (!@#$...) ✔ Include number ✔ at least 8 characters Password criteria: ✔ Start with a letter ✔ Include upper-case letter ✔ Include lower-case letter ✔ Include special Character (!@#$...) ✔ Include number ✔ at least 8 characters ************************ 34
  34. 34. A way to create passwords that is both secured And easy to remember And has almost no requirements… If only there was… 35
  35. 35. Try to remember this: Now try this: There is a way! 36 ******** **********************
  36. 36. Try to remember this: Now try this: There is a way! 37 ******** I love my fluffy bunny
  37. 37. Why passphrase is better then password? Set Password: *********************** We recommend to use a meaningful phrase. You may use any character, include spaces. Minimum 20 characters total. For example: “I love my fluffy bunny”. This is nice and simple 38
  38. 38. Why Passphrase is Better Then Password? Longer = More secured Easier to remember = More convenient AND more secured 39
  39. 39. Password alternatives? -40-
  40. 40. Password alternatives: Biometrics -41-
  41. 41. Fingerprints, face recognition, eyes scan, signature & typing recognition, vein recognition, voice recognition, DNA matching… and even odor based identification There are A LOT of biometric methods... -42-
  42. 42. ▪ Secured ▪ Nothing to remember ▪ No need to manage or change Biometrics – advantages -43-
  43. 43. ▪ Some methods requires hardware ▪ Can’t be changed if compromised ▪ Privacy & security issues ▪ Might be disturbed by Injuries ▪ User acceptance Biometrics – disadvantages -44-
  44. 44. Security experts Recommendations 45
  45. 45. Recommendation #1: “Keep systems and software up to date” So – encourage your users to update Security Experts Recommendations 46
  46. 46. Encourage your user to update -47-
  47. 47. Takeaways 48
  48. 48. Drive effective user behavior to increase security: 1. Don’t use security questions, nor CAPTCHA 2. Display all the password requirements together 3. Allow users to see their passwords 4. Promote using passphrases instead of password 5. Consider using biometric identification methods 6. Encourage users to keep their software up-to-date Takeaways
  49. 49. -50- How Are You Going To Improve Your Users’ Security?
  50. 50. ▪ Google research: ▪ 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users ▪ Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google ▪ Are you a robot? Introducing “No CAPTCHA reCAPTCHA” ▪ mozilla's blog: Exploring the Emotions of Security, Privacy and Identity ▪ SogetiLabs Blog: UX & Security, Part 2: Account Registration ▪ I’m not a human: Breaking the Google reCAPTCHA ▪ Michael Mcintyr: Comedy Gala Reference 51

×