16
madumlao
11d

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

Comments
  • 5
    There is a term “security theater” that covers all of that.
  • 1
    I hate it so much.

    I want the *choice* to choose the level of 'security'.

    Convenience is far more important to me than bullshit illusion of 'security' over assets that ultimately don't matter much.
  • 2
    Well with some hotline clerks, they are actually right. They have to follow their processes no matter what because anything else would open opportunities for social engineering.
  • 2
    the 2 factor is real shit right there and i hate it so much.

    before that a hacker needed to find one password combined to the username, now he needs to find one of the dozen recovery pass probably written somewhere or accessible on some file .. that sounds easier if you ask me.

    dumbness obfuscation
  • 2
    My ideal multi-factor authentication scheme would be an asymmetric key encrypted (or better, locked in a smart card) with a cryptographically secure, memorizable password.

    Something that proves that either you are who you say you are, or that someone else beat the shit out of you and you're never going to speak again. You have to be missing, because they know as soon as they let you go, you're going to tell everyone that you're compromised. But then people will eventulally figure out that you're missing. They can't win in the long run.

    You still do have to be careful about getting phished/keylogged/skimmed, and thise techniques will still work very well on people who don't think about security, unfortunately. But I personally think it is secure enough in practice.
  • 0
    @Fast-Nop kinda the opposite, the problem isn't the hotline, the problem is the process behind the hotline. Attempting to sprinkle "validation" after the fact that the system already granted the sensitive info gives the double whammy of locking out the guy you can actually validate while not doing anything to stop the guy who actually broke in.

    Its not that they dont have a choice on how to implement security, its that they didnt implement security and after-the-fact used theater to make it seem like they did.
  • 0
    @madumlao sure, the processes may be dumb, and that can be a problem - but that the hotline follows them to the letter is the right thing to do in their position.
  • 0
    @Fast-Nop "its dumb that weve been told to run over this kid, but thats the rule so we ought to do it."
  • 0
    @madumlao comparing oranges to military helicopters would be just as lopsided.
Your Job Suck?
Get a Better Job
Add Comment