USA Today has an interesting article on Windows Vista. It appears there is a new feature in Vista called “User Account Control”. This feature is designed to prevent intruders from performing harmful tasks (so far, so good). When invoked, it grays out the computer screen, then prods you to confirm that you really want to do certain functions. In fact, in early test versions, the queries crop up so often that they interrupt routine tasks, such as changing the time clock or deleting shortcuts. And UAC sometimes triggers an endless loop of dialogue boxes that can be curtailed only by rebooting.
Mary Ellen Zurko spoke at last year’s ACSAC about User Interface design and security. Good UI design only prompts users for questions where they at least have a chance of knowing the right answer to put it, and only when it is necessary. Over zealous querying or queries when they don’t have information will prompt a “yes” syndrome, where users just click to make the box go away. This rapidly becomes the “cry wolf” syndrome, where users then don’t see the critical boxes when they should. I’ve seen this happen with many tools, from IE and Mozilla’s security prompts, to Lotus Notes, to ZoneAlarm Pro. Too many prompts, and users ignore them.
I hope M$ puts some effort into making this feature reasonable before they release the product. If they are putting it out there to improve security, it needs to be easy for non-technical users to use the product in a secure manner. This means that engineers cannot be the ones designing the interfaces :-).
