Friction-Free Experience vs. Secure Access: Lessons From the "Zoombombing" Fallout
The controversy and fallout resulting from the widespread reporting of bad actors gaining access to Zoom meetings is just another example of the constant struggle faced by developers and designers of how to balance a friction-free experience and ensuring secure access and privacy.
In the last few weeks, everyone has become familiar with "Zoombombing" — when uninvited guests show up in your Zoom video meetings with the sole intention of disrupting them, whether the purpose of the meeting is business, education or a virtual gathering of friends. There have been reports of hackers shouting angry and violent comments, and some sharing lewd videos and images. With the world struggling to adapt to a new reality — which, for many, involves working from home for an extended period for the first time in their professional lives - the last thing anyone needs are additional headaches piled on by malicious individuals simply because they can.
The challenge stems from the fact that Zoom meetings have default settings geared toward user convenience and a frictionless experience — rather than security and privacy. Hackers are able to guess at Zoom URLs and gain access with minimal barriers in their way. There are security measures in place within Zoom, but they aren't enabled by default and most users aren't even aware they can do things such as setting a meeting password, click the box that doesn't allow anyone to enter before the host, or an option that places all new guests in a virtual waiting room before they are approved by the host. Additionally, with Zoom going from a primarily office-based system to a global social outlet practically overnight, these outcomes were exacerbated.
Zoom CEO Eric Yuan immediately issued an apology and said the company was working fast to address the concerns. His choice of words in his response was particularly significant. While acknowledging that default security measures were overlooked, he also said Zoom's "intentions are good." It is worth noting that this isn't the company's first run-in with security problems — Zoom stirred up controversy with a macOS auto-installer that bypassed typical user interactions to make the install experience more seamless than most other software. These choices, and this “Zoombombing” situation highlights an issue that is a much bigger industry challenge, and has been for a long time.
UX vs. Security
Steve Jobs made Apple into the most valuable company in the world with the ability to surprise and delight customers. The goal of productivity applications like Zoom is to surprise and delight users with an unexpectedly seamless and easy end-user experience. Users flock to a convenient and frictionless user experience which in turn often leads to mass adoption. In the race to make things seamless for people, there is a constant tension between limiting "friction" -— how many steps it takes to gain access to an application — and enforcing security. It is interesting to note that Zoom was founded by Yuan and other former WebEx engineers with the express intention of creating a more user-friendly video conferencing experience. It wasn't that they weren't aware of the potential security issues, it was that they made a conscious choice to weigh things more heavily on the side of a great UX.
So when Yuan says their "intentions are good" he's right. Zoom had good intentions to improve the user experience, but the results were going to be inevitably unbalanced. It wasn't that they were caught unaware during the "Zoombombing" phenomenon, it was just that the practice exploited the seams where Zoom opted for convenience and accessibility over stringent security and at a time when the platform was experiencing a surge in use among individuals rather than businesses. They are far from alone in this - in fact, it's a constant struggle for most interface design. Driving innovation sometimes means sacrificing either the user experience or security. Neither is a preferred choice, but it's a choice that must be made.
Striking the Right Balance
Fortunately, trying to find some balance between frictionless access and security is exactly what we at Idaptive do in our quest to provide organizations with Identity and Access Management solutions. As our CEO Danny Kibel writes, there are "two extremes" when it comes to security. "On one end, you can unplug everything from the internet, while constantly requiring physical and digital verification. That’s maximum security, but it’s also maximum inconvenience. On the other side, you can create a totally frictionless user experience, but leave your employees and systems completely exposed to malicious actors." Zoom — and others - felt strongly that they should bet on the intended users first, and hope that the malicious actors would be minimal.
We see concepts like biometrics, behavioral, and other contextual data as being key to finding some sort of balance. We envision a "Zero Trust," password-less future where applications are able to consider a multitude of factors to recognize authorized users and identify risk — not with simple passwords, but with device usage tendencies, location, past behavior, and even typing particularities. The applications "know" you and can understand what is abnormal or suspicious without having to add newer and more stringent gates between the user and the application.
While the headlines were quick to paint Zoom as being caught with their proverbial pants down over "Zoombombing," the truth is that the company set out with a clear and positive objective — and succeeded enormously — but had to make tough choices along the way. Not even five years ago, users (especially in the US) greatly valued convenience over privacy/security. But since the last US presidential election, the winds have dramatically shifted (likely sparked by the Cambridge Analytica/Facebook scandal and Russian election interference). Zoom didn’t shift with the times and what was their greatest strength — ease of use — has become their unexpected Achilles heel.
No one anticipated a global pandemic forcing hundreds of millions to suddenly have to figure out how to work or run classrooms from home. Unfortunately, times of chaos sometimes open doors for the opportunistic. What we have here is a lesson for all developers moving forward. We need to bridge the gap between user experience and security. Perhaps being forced into it by unforeseen and extenuating circumstances will give us the impetus for giant leaps forward. Now if you will excuse me, I am late for my Zoom meeting...