Security, passwords, and the messiness of everyday experiences

I enjoyed On Culture and Interaction Design, an interview with anthropologist Genevieve Bell. In one section she discusses how we often design systems based on a cultural ideal, but in practice it ends up solving the wrong problem. She uses the example of security:

We design systems to keep systems safe and people write their passwords on bits of paper stuck to their systems. So, is it that people don’t care about security or is that the security we are designing is securing the wrong things? Or, are they just securing them in the wrong ways? Clearly we know that people care about the security of their homes, their possessions, their digital selves, but they adopt a range of patterns for doing it that are incredibly messy, complicated, and contradictory.

Passwords ensure that unauthorized people don’t get access to a system. But the mere fact that tools like 1Password exist to remove the need to remember passwords should tell us that we’re doing it wrong. Current password systems solve the problem from the wrong perspective: the system, not the user.

The problem runs even deeper. We’re not only solving the problem from the wrong perspective, we’re also introducing unnecessary complexity because of the way these systems are implemented. From a great post on the AgileBits blog:

Security systems (well, the good ones anyway) are designed by people who fully understand the reasons behind the rules. The problem is that they try to design things for people like themselves””people who thoroughly understand the reasons. Thus we are left with products that only work well for people who have a deep understanding of the system and its components.

This is why people have weak passwords and write them down on pieces of paper everywhere. It’s why the experience is complex and messy, and why we have to spend so much time building “Forgot password” flows when we could be spending that time making the core experience of our products better.

So what’s the alternative? I have a huge appreciation for the role that anthropology can play in the design of products and experiences – which is what Genevieve advocates in her interview as well. Ethnography (often called Contextual Inquiry in the user-centered design world) is the single best way to uncover unmet needs and make sure we are solving the right problems for our users.

In Ethnography in Industry, Victoria Bellotti defines ethnography as “a holistic, in-person, and qualitative approach to the study of human behavior and interaction in natural settings.” By using this method to understand the culture and real needs of personal security, we should be able to design a user-centered solution to protecting digital information. One that isn’t stuck in the downward spiral of designer myopia we often encounter in proposed solutions to complex problems.

Security is an impossible industry to reinvent, you say? Maybe. But the problem does remind me of something Matt Legend Gemmell says about innovation in his excellent post Copycats:

The lesson of the technology industry in the past five years is that really successful products dare to NOT copy. They’re pure, in that they’re actually designed from first principles – they’re based on the problem and the constraints, without being viewed through the lens of someon’s existing attempt. You know, the kind of thing you actually wanted to work on when you got your degree and were still unsullied by the lazy, corporate machine.

So who wants to take a crack at it?