The IT industry is failing at security

Wow after looking at the huge spate of incidents, it’s quite obvious that the self-touting IT security industry is quite bad at implementing security. It can’t seem to protect against itself? I mean, it’s one thing to blame general dont-know-any-better users, but even the IT industry itself can’t seem to find good, workable, practical, affordable, scalable solutions to its own problems.

  1. usernames and passwords – known to be weak to humans, unable to memorize long digits, unable to keep doing resets
  2. SMS 2FA – was the standard for awhile, and now it’s still being pushed out. However known to have a weak links, unable to protect high value targets. Expensive to scale up. Unable to consistently apply to all logins all interfaces without expensive customization.
  3. Hardware token 2FA – the impractical need to carry a physical token around everywhere, on you, plug into all sorts of foreign computers or personal computers; expensive as hell; even more expensive when you find out you should keep a spare set; fallback to SMS is weak link

So why are we still here? Despite all the brilliant cryptography and mathematics, we’re really not that far along at all. Computers will always be bad at something, there will always be some loophole. We can’t yet have SMS 2FA everywhere and token 2FA is still impractical for most use cases.

Security should Not be too expensive. Usernames and passwords should not be just sufficient. Biometric should not be in the domain of rich and entitled. 2FA should be more built-in.

Sigh.

Could I actually afford 2 x 2FA tokens? S$100? sheesh.

I still can’t get my head around the impracticality of it

  • If I carry a token on my keychain, i need to plug it into the computer to use. I don’t want to carry my keys around everywhere, neither do I want to plug it into a computer – my keys i mean
  • If I carry a token on my staff pass lanyard, i need to plug it into the computer again. what if I forget to take it out?
  • Do I need to take it off my neck? do I pull the extendable wire and plug it in and take it out each use?
  • do we go for bluetooth connections?
The IT industry is failing at security

Leave a Reply

Your email address will not be published. Required fields are marked *