First, I'll say this until I'm blue: articles like this preach to the choir. MFA? Yeah, raise your hand if you're against that. This is HN, so I'm not surprised to see only a couple of hands up. You, you in the back in the blue shirt. Your hand is up, care to explain why. Ah, thank you. Yes, MFA adds expense for no immediate discernible benefit. One last question: are you a C-level? Mmm, thought so, thank you.
Just yesterday I interviewed at a company that is next door to a company I worked for ten years ago, which is why this comes to mind. Biometric MFA by the flight and dwell times of how you type your password. Clever, it worked and the company had customers. But our product cost money, security questions are practically free, and security questions count as "MFA". Without looking, I doubt the company is still in business. The fact that the company didn't turn into a license to print money out to tell you something. That was the "time to admit..." moment for me, some ten years ago.
So, yeah, preach MFA and everything on that list all you want, but you'll have to convince my CxO who holds the purse strings. And when we get breached, my CxO will publicly say, "evil hackers, there was nothing to be done!" and get away with it. A trivial fine at worst, and a little shaming, and life goes on. Don't believe me? After the Equifax breach, the stock took a hit. When I thought the worst was over, I bought call options (since sold) and made bank. Granted, EFX is still down about 25% from its pre-breach highs, but it still bounced up about 25% from its post-breach low because after rending our garments we realized nothing much will change, so back to business-as-usual.
The flight and dwell time of how you type your password, Michael Crichton wrote code published in an early 80’s computer magazine that could do this on an Apple II.
It worked too, my family couldn’t log into my Apple //c as me even with my password.
First off, for anyone who hasn’t read it: yet that title is, expectedly, disingenuous: it is not asking to ban companies from holding customer data but offers basic advice.
In my experience, people who can implement the solutions that they are describing i.e. who would enjoy reading that “Have I Been Pwned (…) offers an API” know about these, are not those deciding whether to work on implementing it. Managers who allocate budgets are. Having a clear list of things to do is great but managers tend to see those are part of the long list of things to do, long list that they do not have the budget to handle.
What could be more helpful is an estimate of how likely not doing it is going to be a problem and how much that would cost the company. Anyone willing to associate a benefit to each step?
mikestew|8 years ago
Just yesterday I interviewed at a company that is next door to a company I worked for ten years ago, which is why this comes to mind. Biometric MFA by the flight and dwell times of how you type your password. Clever, it worked and the company had customers. But our product cost money, security questions are practically free, and security questions count as "MFA". Without looking, I doubt the company is still in business. The fact that the company didn't turn into a license to print money out to tell you something. That was the "time to admit..." moment for me, some ten years ago.
So, yeah, preach MFA and everything on that list all you want, but you'll have to convince my CxO who holds the purse strings. And when we get breached, my CxO will publicly say, "evil hackers, there was nothing to be done!" and get away with it. A trivial fine at worst, and a little shaming, and life goes on. Don't believe me? After the Equifax breach, the stock took a hit. When I thought the worst was over, I bought call options (since sold) and made bank. Granted, EFX is still down about 25% from its pre-breach highs, but it still bounced up about 25% from its post-breach low because after rending our garments we realized nothing much will change, so back to business-as-usual.
Terretta|8 years ago
It worked too, my family couldn’t log into my Apple //c as me even with my password.
bertil|8 years ago
In my experience, people who can implement the solutions that they are describing i.e. who would enjoy reading that “Have I Been Pwned (…) offers an API” know about these, are not those deciding whether to work on implementing it. Managers who allocate budgets are. Having a clear list of things to do is great but managers tend to see those are part of the long list of things to do, long list that they do not have the budget to handle.
What could be more helpful is an estimate of how likely not doing it is going to be a problem and how much that would cost the company. Anyone willing to associate a benefit to each step?