I ran across this great article about the disappearance of instruction manuals and thought about how today (as noted in the article, but it’s pretty common) that the manual for my last computer was a large poster on setting it up the first time. The one for my smartphone was 2″ x 3” and about 30 pages with 3 languages. Neither of these are simple devices, but it is expected that they will be usable without much of any external instructions as anything you don’t know you should be able to figure out (remember when F1 was the best thing in Windows?).
As with so many advances through the years in tech, research done at IBM gave us the modern concept of design to the user and manuals focused as such. It’s a great insight that the user needs to be able to be engaged with what they are trying to do and be able to accomplish their tasks. It doesn’t matter whether they understand all that went on behind the scenes to complete the task, just that it is completed. A user has a job to do, and technology is an enabler, not the job, and as such, it is important that the technology not get in the way.
Security should always be looked at in the same way. We have security because we need to protect things, but except for a small set of us, it isn’t the end user’s job. For an accountant, they may know they need to secure their data, but today, it isn’t their job to know the best way to secure that data, or even how to do so. If you force them to do it, it takes their focus away from being an accountant, which is a problem because an accountant is unlikely to know how to properly secure their data, and because they aren’t doing the work they are trained to do. Security needs to be integrated into what they do, but largely be behind the scenes.
When security can be done in ways where the user doesn’t have to see it, but can trust it is there, they don’t actively work against it because it doesn’t get in the way of their doing their job. Solutions like 2FA which can be easily deployed such as YubiKeys with a GreenRADIUS server can let a user log in without needing complicated procedures, letting them be secure while focusing on their job, not yours.