Trading usability for security


I got a little message from last night. Well, not very little at all. You see, it took them over 700 words to explain how to use the new login process, designed to keep users from having their login information stolen. I’ve never found them to be very concise in their communication with customers, so the length of the message is nothing new. However, the new login process they describe is rather troubling. With a verification system that is sure to annoy users and administrators alike, salesforce has taken a big step backwards in usability.

The new login process works like this: unless you’re accessing the service from a trusted IP address (which your account administrator has to update manually), then you’ll need to go through a verification process every time you want to login from a new computer or a new location. The verification involves clicking a link to send an email to your address on file, opening the email, clicking a link that registers your current IP and browser, and then logging in normally.

There are some major issues here. First, they’re presumably using a cookie to record which browser has been verified. So if you clear your cookies, you’ll have to get verified all over again. Second, a lot of people are on dynamic IPs, especially if they often work from remote locations or wireless devices. They will need to do the verification whenever they move to a new location and the IP changes, or possibly even if they just sign off and back on (since some wireless services assign a new IP for every session). A VPN can prevent this hassle, but I’m guessing many of salesforce’s SMB customers lack this sort of infrastructure. And what if you don’t have access to your corporate email account on the same computer, e.g. if you’re using a shared PC? Sounds like you’re out of luck.

Ironically, I think the biggest problem is that salesforce is training users to expect these official verification emails all the time. Aren’t these the same sort of things that potential attackers use to get people to click on and capture their private data? Previously, you could simply say “Delete any email about salesforce access, since it’s a scam.” Now, users have to distinguish between legitimate verification emails they are expecting, and fraudulent ones. This sounds easy enough. But in practice, people will quickly get accustomed to just clicking on the message, especially if they get the verification requests all the time. This change in user behavior will make tricking the average salesforce user even easier in the future.

In all, this is a bad move for salesforce in terms of usability. And by training users to click on verification emails, it might lead to even more compromised accounts as thieves learn to emulate the email format. I would much prefer to see salesforce implement the multi-factor authentication that banks use, i.e. asking you to answer more security questions right on the login screen if your computer isn’t recognized. Obviously, salesforce has its reasons for taking this approach, but I suspect it’s going to cause a lot more harm than good.

2 Responses to “Trading usability for security”

  1. You make a good point. I was thinking of this from the perspective of existing users, for whom this is an interruption in their workflow, but probably won’t make them abandon use of altogether. But for the new users you allude to, the hassle might be significant enough that they refuse to use the application, causing adoption rates to suffer.

  2. In an industry with user adoption being one of the biggest hurdles, has just raised the height of these hurdles. Secure data is of the up most importance but what’s the sense of having imformation on a system that employees won’t want to or have a hard time logging into. Their approach seems to be a thrown together temporary solution which leaves you wondering about or simply waiting for future security issues.