I read with interest David's articleRichard brings up a very good point in adding accessiblity to the "convience" argument in the article. Whatever the solutions are that we come up with, we need to ensure that they are convenient to the user as the user sees it while not giving up practical security measures.
His assumption seems to be that we are working with a broadly tech savy enterprise environment, the "knowledge worker".
What we are finding in our discussions with vendors around strong authentication is a almost complete failure to realise that strong authentication is going to have to be rolled out to the masses. In the UK this means 20M + people. In the US 100M+ people.
These people come is all shapes, sizes and abilities. When I am presenting to our clients we are very aware that many are planning to roll out systems that will eventually need to be used by people like my mother. She will need to have to use them, not for a matter of convienience but because that is the way that the system has to work. She is in her 70's and hardly touches the computer in the house.
In the UK this year the banks have just rolled out "chip & pin" for bank card verification. It had to consider real usability issues for the elderly, the blind, those in wheel chairs who had to be able to reach or see the key pad. As an example I recenty had to gently steer a solutions designer away from proposing a OTP Token solution for someone whose typical profile was 70 years old, diabetic and probabaly going blind!
We are moving to a world where we will have to manage risk in a more flexible manner that is able to support every person given their personal capabilities. This is becuase we are going to have to better manage risk in every transaction, face to face, over the phone and not just online transactions and not just to support the next form of electonic gizmo. We must be aware of this as we design our architectures and solutions.
This is a plea for PEOPLE CENTRIC Identity Management. If we fail to consider people in their diversity, we will fail as vendors and service providers.
Later in the discussion, someone asked for a description of "PEOPLE CENTRIC" Identity Management. Eric Norman of the University of Wisconsin responded:
Here are some things I would list. (These are for any system, not just identity management).
It means that people can operate the controls of the system without having to know the definitions of arcane words and concepts (the things that geeks love).
It means that taking the path of least resistance leads the operator to doing the "right thing".
It means that it's difficult to make a mistake.
It means that people can understand the controls of the system and are able to predict what they will do.
It means that feedback is always provided about the current state of the system.
It means that the system operates in a manner that matches the operator's internal mental model. Note: this mental model *is not* the same as the model that the developer uses.
It means that people can operate the controls of the system without having a help desk assistant on the line.
It means that the user documentation does not include screen shots!
It means that law 6 is to be obeyed.
Here's another reference.
"The Design of Everyday things", by Don Norman (No relation, by the way).
I like much of what Eric says here... I would add that the concept of what is "right" for one user may be a "mistake" for another (there's no one right answer. I would also say that documentation should be as helpfull as possible for each supported environment -- meaning that
When I was at AOL and we were doing the initial architecture of these kinds of things we always kept in mind the following guidlines:
- Out of the box, it should work for my mother
- The rest of us should have a "geek page" we can go to to tweak the behavior
- The common configurations should be available as settings packages (e.g. UltraParanoid, ParanoidEnough, NotParanoidAtAll :-)).
I'm sure there were other more detailed requirements, but these (especially the first) guidelines helped keep us grounded in what we were "discussing".
I'd also want to point out that this topic, although similarly named, is different than the recent user-centric identity discussions. User Centric Identity is about control of operations, People Centric Identity management is about designing solutions that work for many types of people and to make it convenient to those people.