Except they’re easy to lose, not something the general public is familiar with and generally considering a bit of a faff.
You always have your face with you!
6 Likes
1 Like
Does anyone else see Matt Hancock? Or am I really that disturbed?
9 Likes
No, not that stupid thing. A real hardware key (yubikey for example).
That’s excuses that need to go away.
So are passwords, easy to forget, so I’ll write it on a postit note, or use the same one (password123) for every account. You can pander to these excuses, or you can argue back, educating people as to what’s secure. Unfortunately you cannot hide behind a rock and pretend you can still do things the way you used to 20 years ago, people have to learn and adapt.
The stupid card reader thing posted above is a prime example - it’s so much mor inconvenient and cumbersome to use, but some banks went ahead with it and a lot of people now are familiar with it. If you can do it with that abomination, you can do it with hardware keys 
Except people choose their banking on how easy it is - I stopped using NatWest & Barclays partly because the pin sentry was so annoying.
You can’t force people to learn, the face solution for fintech banks is a much easier choice which is very difficult for the average joe to defeat.
8 Likes
Question for you (and @bee in their new role / @N26throwaway / everyone else): just how different is a yubikey to a card reader? They both offer a form of cryptographic certificate, even though the standards will differ, right?
Is the objection more because there’s faff (insert card, press buttons, type pin, mutter incantation) or is there a technical issue?
1 Like
Theoretically I should be an expert on this because not only did I work in the IAM team at Monzo (who managed passwords, security keys etc for all of Monzo) and now I also work at Duo (who invented a lot of the standards around Yubikeys etc…)
But I don’t know much currently 
I can say, however, that a lot of these “extreme” things banks do to “protect” customers have very small effects. Like Stronger Customer Authentication I believe changed the needle perhaps 0.1% to protecting customers 
Yubikeys are cool for techy people because you can use them for SSH etc. There’s also WebAuthN https://webauthn.io/ which would stop phishing completely using hardware keys (yubikeys) (assuming prime factorisation is not broken How to Share a Secret (Diffie-Hellman-Merkle) )
However, this is assuming that every customer knows not to trust a website unless the yubikey works (I am sure people would probably ignore it)
Security is hard 
7 Likes
Just because you dislike having to do a video/say a phrase, doesn’t mean it’s a bad system.
I’m sure nobody likes it, but your personal reasons for not doing it are not common and clearly it helps prevent fraud.
2 Likes
But your clear dislike for it comes up a lot, but more for personal reasons than security or anything else.
2 Likes
And it’s usually down to people factors, right?
It’s not a criticism, but my parents (for example) would probably struggle with Yubikeys (they’d forget how to use them, then they’d lose them, then they’d use each others…). And all the social engineering and manipulation weaknesses are still there whatever you use.
That’s not an argument for no security. It’s just me saying again it’s really hard. Too hard.
3 Likes
It’s a very fine balance of keeping the baddies out, but not making it so tough that you can’t get to your own things.
1 Like
It’s always cost of humans too.
Company needs to improve margins, company looks at where there’s a human interaction and finds a way to bin it.
An unrelated example, but reminds me of locked pots. A good idea to add in the friction of asking support to unlock it but turned out to be unaffordable.
I do sometimes wonder if our economic model is pricing out helpful human interaction.
4 Likes
Pretty much.
Anything someone might need to remember will be forgotten or shared. Anything that someone needs to own might be lost or, again, shared.
Biometrics are promising because you can’t lose your face. But, also very limiting and pretty much always suspect to a fallback that relies on something you remember or something you have.
Then again I think of it like bike locks. Because my bike is at high risk of being stolen, I use two d-locks, even though this adds weight and inconvenience. But that’s my specific need, and 5 minutes with an angle grinder will get through then anyway. No perfect system, only one appropriate to your use case.
2 Likes
Yes. All that (plus having to carry a card reader, and find it + card which will be in a different place), vs just taping your yubikey on your phone (NFC) or touching it (USB). Can’t compare the two in terms of convenience IMHO.
Absolutely.
Sure you can. Establish security procedures that can’t be circumvented. Produce material that explains why you’ve done that. Teach kids in school (I try to do that).
I’m not disagreeing that the face thing is a good solution, as it strikes a good balance for the bank and the customer, but if you claim that you can’t force people to learn, isn’t that accepting that people will keep using password123 and sticking it on their monitors? Surely in every company nowadays, Monzo included, there is IT security training and sanctions for ignoring the security policies of the company? Same for people, except the sanction is you lose your money or data.
1 Like
For example?
Although I once heard a security expert say that you can’t replace it either.
The point he was making was that if your biometrics are compromised in the future, then that’s a much bigger deal than losing a key or someone knowing your password.
5 Likes
Very true, lots of fingerprints have already been leaked.
Face is harder, because FaceID takes a a 3D image, but a 3D printed mask can reportedly still overcome it. This is why it has to be kept on the device and not online, which then makes its use limited. Also, difficult to stop someone getting hold of an image of your face.
I feel so behind. what is TOTP? 
1 Like
Stand by…
(Temporarily closing thread to move stuff).
1 Like