Mobile UX and the problem of security

We have a pool of around 30-35 iPhone users at my work location that we’ve been studying. From our studies and our interactions with other smart phone users, one thing has become abundantly clear: burdensome security policies are a showstopper for most users. Roughly 80-85% of our users have refused to install the corporate security policy on their iPhone (which would require an 8-character alphanumeric password to use their phone), choosing to forgo accessing business applications and services on their phone rather than have to constantly log into their devices.

While many people contend that security and usability are diametrically opposed and there’s no good solution here, I’d argue that’s not necessarily the case. Certainly from the user’s perspective the security policy is unworkable. Typing an 8-character alphanumeric password on an iPhone’s virtual keyboard takes most users 10-15 seconds. But given that most iPhone interactions are less than 60 seconds long, that’s 15-25% of users’ interaction time right there. Unlike laptop use, the time to enter the password isn’t amortized across an extended interaction. Plus in most cases users are accessing functionality that isn’t business related (taking a picture, posting on Facebook, checking Twitter, etc.), so they perceive the password as unnecessary.

From my company’s standpoint (and from pretty much any corporate / government standpoint) the need for security is clear: the company has financial, ethical, and legal obligations to protect company data that may end up on phones. In our case, the 8 character password requirement appears to derive from an Italian privacy law (DPR 318/1999) that the CISO’s office decided to apply as the least common denominator worldwide.

So why don’t those two requirements (easy access to devices/services from users’ standpoint; security and protecting data from my company’s standpoint) conflict? Well, they admittedly do to some extent with the current security mechanisms we have available on smartphones. When all you’ve got is blanket password access to restrict data, you don’t have much wiggle room to balance competing desires. But there’s no reason that smartphones can’t be smarter (sorry) about which applications and data need to be protect (business applications) and which don’t (Twitter, camera, weather, stocks, etc.).

Why is it that, at a time when smart phones are increasingly useful for both personal and business uses, that I can’t tell me smartphone which are which? I currently have the security policy installed on my iPhone, but I’d be much happier if I could restrict access to the small # of applications that are for business rather than to the whole phone. Technically that’s feasible, it’s just that iPhone OS, Android, etc. don’t support it yet. And that’s frankly where I think we need to go, particularly as computing devices increasingly move away from the model of “owned by your company and administered by IT” to “owned by you and used on behalf of your company”, which is where smartphones are largely now and where I suspect other devices will go. How long will it be until we get a subsidy from our companies to purchase our own computer that we’ll own and administer ourselves? Citrix is doing it now.

So if you know a mobile OS developer, tell them to drop me a line. We’d like to help them make their OS friendlier to both personal and business use.