Simplicity and security in design
Published on 11.19.09
Two of the biggest challenges in any web application are simplicity and security.
The importance of good security is immediately obvious. The security and integrity of a user’s data is the most important thing that an organisation such as myows.com is entrusted with when the user signs up to their service… and the challenges airtight security represents are numerous.
Secure design is also not something that can be tackled on at the end of development, but must be a consideration every step of the way.
Simplicity is another very well recognised goal, however it is seldom achieved as much as it is aimed for (or paid lip service to). A simple interface or experience doesn’t mean one that is “dumbed down” or offers less capability than a complex one – even the most powerful and capable tools should aim for the simplest possible presentation. Truly simple and functional design is surprisingly difficult to achieve.
When your aim is to excel at both security and simplicity, you cannot sacrifice either one for the other, and the interaction between them can be complex. Many security procedures can make users feel like they are being made to take a longer way around than necessary.
Also one must be careful of “security theatre” – security procedures that may seem effective, and make people feel safe, but in actuality are easy to defeat (and so do not really add anything of value).When making things simpler, it’s important to realise that some things should still require a few steps or additional confirmation.
When creating the interface and interaction flow for myows.com, we faced quite a few decisions on how to best manage and balance these factors. One of the these concerned Myows’ central function – how to handle the actual timestamping and certification of works.
Many solutions around the timestamping and certification of documents and other data have focussed on digital signatures – signing works and providing users with signed versions of their files, or hashes of the file’s content to keep.
With myows.com, we decided to keep the actual work, along with the timestamp data, all together in one place. This frees users from having to deal with private and public keys, or storing their own hashes and works securely (and having to make sure these are kept safe).
As all transactions are over HTTPS, works are secure between the user’s computer and Myows, and cannot be tampered with. Once the works are with Myows, we store them in our secure system – nothing else is required of the user.
This solution satisfied our goals of being safe and straightforward to use and understand, without sacrificing any functionality – actually, it’s more convenient and useful than having to keep track of hashes, keys, etc. It also makes for more reliable evidence at the end of the day as opportunities for tampering are non existent when evidence is stored by a neutral and reliable third party.
This kind of balancing act is guaranteed to turn up many times in any project – however by staying flexible and aware of the overarching design ideals, very rarely should one goal have to be sacrificed for the sake of others.
If you enjoyed this article, please consider sharing it!
Leave a comment