Computer Security Follies
What does authentication do for me?
This was a new one for me. A web site, which shall be nameless, blocked me out. It said that it was implementing a security upgrade. I was now supposed to scan a QR code in order to log in. It directed me to download an “authenticator” which would scan in the QR code.
Installing the authenticator was a process. The authenticator app itself uses two-factor authentication, and it insisted on sending me a code via email. It somehow found an email address for me that has expired. The app would not tell me how to correct this, so I had to call on Claude. Claude figured out that it was an email address on my phone, even though I wanted the app on my PC. Claude was able to walk me through getting the old email address deleted from my phone so that I could start all over with installing the app.
Then the app kept telling me that the attempt to locate the QR code failed. Once again, Claude came to the rescue. It eventually figured out that the app screen was blocking the browser screen that had the QR code. So I needed to have the browser and the app both showing at the same time. Windows has a new way of tiling screens side-by-side, and Claude talked me through that. So finally, almost two hours later, I was into the original web site.
What was accomplished?
What did this security upgrade accomplish? I was already in a sandbox with respect to the web site. That is, I could only access data relevant to me. It is not a web site where I keep any financial information, so there is nobody who can profit from logging in as me.
In theory, someone who discovers my password could log into the web site and do something I would not like. But the motivation for doing so is almost nil.
And with the authenticator now working, if someone gets hold of my computer, they don’t even have to guess my password to log into the site. The way I look at it, my personal security is less than it was before.
Now the authenticator always asks me if I want to use it log into other sites. No way! Why would I want to enable anyone who gets hold of my computer to be able to log into any site that I use?
A response to being “hacked”
I gather that this new security “upgrade” was introduced in response to a “hacking incident.” Maybe a lot of passwords got stolen, or they decided that they needed to worry about passwords being stolen.
Whenever I hear about a lot of passwords being stolen by a “hacker,” I think “inside job.” I figure that it must be much easier to break into a computer system with help from someone on the inside than it is to just cleverly hack your way in. I could be completely wrong about that—I am not a computer security professional, just a disgruntled user.
The appropriate response to a “hacking incident” is to tighten up controls on permissions. A permission system dictates who has access to what. For the web site that locked me out, I already had essentially no important permission. Reacting to the incident by putting me through a long, frustrating process was punishing the wrong person..
Imagine you were running a hotel. Would a hotel respond to a jewelry theft ring by making guests go through an arduous authentication process in order to access their rooms? That would be ridiculous.
If someone steals valuables from multiple rooms, it is likely that they got hold of an entry key that works for multiple rooms. So what you need is a process for guarding those multi-room entry keys, and for keeping an eye on the people who use them.
Powerful permissions in computer systems are like multiple-room entry keys. You need to know who has those permissions, and you need to keep an eye on those people. There is no reason that more than a few people should have powerful permissions. And you should monitor the way that they get used.
End of rant.
Surely you've followed the 25-year saga of fake two-factor identification? This is just a refinement of that. The reusable bag of security theater.
> Whenever I hear about a lot of passwords being stolen by a “hacker,” I think “inside job.” I figure that it must be much easier to break into a computer system with help from someone on the inside than it is to just cleverly hack your way in.
Because most users are really bad with password re-use, there are a lot of incentives for people to figure out the "cleverly hack your way in from the outside" so I don't think this inside job thinking is quite right. Generally the path is "find a users credentials on some system of little consequence with poor security" so that you can see if those same credentials work on important things like banking/email/online shopping