Mailing List Archive

>
> As far as I know, authenticators on cell phone apps don’t require the
> Internet. For example, the Google Authenticator mobile app doesn't require
> any Internet or cellular connection
>

Lots of people still use feature phones that are not capable of running
applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:

> As far as I know, authenticators on cell phone apps don’t require the
> Internet. For example, the Google Authenticator mobile app doesn't require
> any Internet or cellular connection. The authenticated system generates a
> secret key - a unique 16 or 32 character alphanumeric code. This key is
> scanned by GA or can be entered manually and as a result, both the
> authenticated system and GA know the same secret key, and can compute the
> time-based 2nd factor OTP just as hardware tokens do.
>
> There are two algorithms: HOTP and TOTP. The main difference is in OTP
> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
> TOTP times out after some specified interval - usually 30 or 60 seconds.
> For TOTP, the system time must be synced, otherwise the generated OTPs will
> be wrong. But you can get accurate enough clock time without the Internet,
> either manually using some radio source such as WWV, or by GPS or cellular
> system synchronization.
>
> -mel
>
> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
> >
> > ?
> >
> >> On 4/18/21 05:18, Mel Beckman wrote:
> >>
> >> No, every SMS 2FA should be prohibited by regulatory certifications.
> The telcos had years to secure SMS. They did nothing. The plethora of
> well-secured commercial 2FA authentication tokens, many of them free,
> should be a mandatory replacement for 2FA in every security governance
> regime, such as PCI, financial account access, government web portals, etc.
> >
> > While I agree that SMS is insecure at the moment, I think there still
> needs to be a mechanism that does not rely on the presence of an Internet
> connection. One may not be able to have access to the Internet for a number
> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
> fallback needs to be available to authenticate.
> >
> > I know some companies have been pushing for voice authentication for
> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
> >
> > We need something that works at the lowest common denominator as well,
> because as available as the Internet is worldwide, it's not yet at a level
> that one would consider "basic access".
> >
> > Mark.
>

Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk

-mel

On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:

?
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection

Lots of people still use feature phones that are not capable of running applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

-mel

> On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>
> ?
>
>> On 4/18/21 05:18, Mel Beckman wrote:
>>
>> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
>
> Mark.

On 4/19/21 14:47, Mel Beckman wrote:

> Then they can buy a hardware token. Using SMS is provably insecure,
> and for people being spear-phished (a much more common occurrence now
> that so much net worth data has been breached), a huge risk

Most regular folk (especially those that may not have smartphones) who
have the option of SMS or a key fob will end up using SMS because it
does not cause them to spend time standing in a queue in a building to
give up cash.

Their belief that SMS is secure (enough) has nothing to do with whether
it actually is. It's all about convenience, and how much they can get
done without speaking to human.

If a key fob can be sent to them - preferably for free - that would help.

Mark.

HW tokens are great, sure.

Except there is a lot of overlap in the Venn diagram between those who
still use feature phones and those that spending $30 on said hardware token
is financially obtrusive. ( Not to mention that every hardware token I can
remember looking at requires an app to set themselves up in the first
place, and if this is for the people who can't install apps, that's an
interesting circular dependency. )

I'm not arguing for or against anything here honestly. I'm just pointing
out that we ( as in the technical community we ) have a tendency to put
forward solutions that completely ignore what might be reasonably feasible
for those of lower income , or parts of the world not as technologically
developed as we might be in ourselves, and we should try to shrink that gap
whenever possible, not make it worse.

On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:

> Then they can buy a hardware token. Using SMS is provably insecure, and
> for people being spear-phished (a much more common occurrence now that so
> much net worth data has been breached), a huge risk
>
> -mel
>
> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
>
> ?
>
>> As far as I know, authenticators on cell phone apps don’t require the
>> Internet. For example, the Google Authenticator mobile app doesn't require
>> any Internet or cellular connection
>>
>
> Lots of people still use feature phones that are not capable of running
> applications such as this.
>
> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
>
>> As far as I know, authenticators on cell phone apps don’t require the
>> Internet. For example, the Google Authenticator mobile app doesn't require
>> any Internet or cellular connection. The authenticated system generates a
>> secret key - a unique 16 or 32 character alphanumeric code. This key is
>> scanned by GA or can be entered manually and as a result, both the
>> authenticated system and GA know the same secret key, and can compute the
>> time-based 2nd factor OTP just as hardware tokens do.
>>
>> There are two algorithms: HOTP and TOTP. The main difference is in OTP
>> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
>> TOTP times out after some specified interval - usually 30 or 60 seconds.
>> For TOTP, the system time must be synced, otherwise the generated OTPs will
>> be wrong. But you can get accurate enough clock time without the Internet,
>> either manually using some radio source such as WWV, or by GPS or cellular
>> system synchronization.
>>
>> -mel
>>
>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>> >
>> > ?
>> >
>> >> On 4/18/21 05:18, Mel Beckman wrote:
>> >>
>> >> No, every SMS 2FA should be prohibited by regulatory certifications.
>> The telcos had years to secure SMS. They did nothing. The plethora of
>> well-secured commercial 2FA authentication tokens, many of them free,
>> should be a mandatory replacement for 2FA in every security governance
>> regime, such as PCI, financial account access, government web portals, etc.
>> >
>> > While I agree that SMS is insecure at the moment, I think there still
>> needs to be a mechanism that does not rely on the presence of an Internet
>> connection. One may not be able to have access to the Internet for a number
>> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
>> fallback needs to be available to authenticate.
>> >
>> > I know some companies have been pushing for voice authentication for
>> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>> >
>> > We need something that works at the lowest common denominator as well,
>> because as available as the Internet is worldwide, it's not yet at a level
>> that one would consider "basic access".
>> >
>> > Mark.
>>
>

On 4/19/21 15:07, Tom Beecher wrote:

>
> I'm not arguing for or against anything here honestly. I'm just
> pointing out that we ( as in the technical community we ) have a
> tendency to put forward solutions that completely ignore what might be
> reasonably feasible for those of lower income , or parts of the world
> not as technologically developed as we might be in ourselves, and we
> should try to shrink that gap whenever possible, not make it worse.

This!

Nowadays, the businesses that tend to do very well while seeming like a
black box to most of their customers, are the ones who are consistently
solving problems from the perspective of real people, at scale.

If you solve it for 1, you solve it for 10,000 - and then the rest of
exponential impact.

Mark.

Tom,

Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.

-mel


On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

HW tokens are great, sure.

Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. )

I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.

On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk

-mel

On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

?
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection

Lots of people still use feature phones that are not capable of running applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

-mel

> On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa<mailto:mark@tinka.africa>> wrote:
>
> ?
>
>> On 4/18/21 05:18, Mel Beckman wrote:
>>
>> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
>
> Mark.

> I'd add to that that people probably shouldn't treat phones as a
> significant increase in security, it's not really the out-of-band
> device that it used to be/was in the 1990s. Today, it basically
> equates to a second computer and the probability that the second
> computer is also compromised isn't overly unrealistic.

by the same attacker? raises the bar a bit. it's just a second factor,
not a guarantee.

i am a fan of the google token and don't like having to carry a
different hw token for everyone who wants to hw 2fa me.

but i think $ubject is correct. sms 2fa is roadkill.

randy

---
randy@psg.com
`gpg --locate-external-keys --auto-key-locate wkd randy@psg.com`
signatures are back, thanks to dmarc header butchery

>
> These low-income people are not the targets of identity thieves, spear
> fishers, or data ransomers.
>

This is patently false. Low-income / disabled / minority / non-english
speakers are absolutely targets of scams like those, and in
significant numbers.



On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org> wrote:

> Tom,
>
> Well, yes, not everyone can afford all technology options. That’s life.
> One has to wonder how someone who needs to protect online accounts cannot
> afford a $30 hardware token (which can be shared across several accounts).
> These low-income people are not the targets of identity thieves, spear
> fishers, or data ransomers. Unlike you, I AM arguing against something: SMS
> as a 2FA token. In this case I don’t think we have ignored low-income
> users, for the same reason that home alarm security aren't ignoring
> low-income users who can’t afford their products. It’s certainly no reason
> to hobble security for the rest of us.
>
> -mel
>
>
> On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc> wrote:
>
> HW tokens are great, sure.
>
> Except there is a lot of overlap in the Venn diagram between those who
> still use feature phones and those that spending $30 on said hardware token
> is financially obtrusive. ( Not to mention that every hardware token I can
> remember looking at requires an app to set themselves up in the first
> place, and if this is for the people who can't install apps, that's an
> interesting circular dependency. )
>
> I'm not arguing for or against anything here honestly. I'm just pointing
> out that we ( as in the technical community we ) have a tendency to put
> forward solutions that completely ignore what might be reasonably feasible
> for those of lower income , or parts of the world not as technologically
> developed as we might be in ourselves, and we should try to shrink that gap
> whenever possible, not make it worse.
>
> On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:
>
>> Then they can buy a hardware token. Using SMS is provably insecure, and
>> for people being spear-phished (a much more common occurrence now that so
>> much net worth data has been breached), a huge risk
>>
>> -mel
>>
>> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>
>> ?
>>
>>> As far as I know, authenticators on cell phone apps don’t require the
>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>> any Internet or cellular connection
>>>
>>
>> Lots of people still use feature phones that are not capable of running
>> applications such as this.
>>
>> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
>>
>>> As far as I know, authenticators on cell phone apps don’t require the
>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>> any Internet or cellular connection. The authenticated system generates a
>>> secret key - a unique 16 or 32 character alphanumeric code. This key is
>>> scanned by GA or can be entered manually and as a result, both the
>>> authenticated system and GA know the same secret key, and can compute the
>>> time-based 2nd factor OTP just as hardware tokens do.
>>>
>>> There are two algorithms: HOTP and TOTP. The main difference is in OTP
>>> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
>>> TOTP times out after some specified interval - usually 30 or 60 seconds.
>>> For TOTP, the system time must be synced, otherwise the generated OTPs will
>>> be wrong. But you can get accurate enough clock time without the Internet,
>>> either manually using some radio source such as WWV, or by GPS or cellular
>>> system synchronization.
>>>
>>> -mel
>>>
>>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>>> >
>>> > ?
>>> >
>>> >> On 4/18/21 05:18, Mel Beckman wrote:
>>> >>
>>> >> No, every SMS 2FA should be prohibited by regulatory certifications.
>>> The telcos had years to secure SMS. They did nothing. The plethora of
>>> well-secured commercial 2FA authentication tokens, many of them free,
>>> should be a mandatory replacement for 2FA in every security governance
>>> regime, such as PCI, financial account access, government web portals, etc.
>>> >
>>> > While I agree that SMS is insecure at the moment, I think there still
>>> needs to be a mechanism that does not rely on the presence of an Internet
>>> connection. One may not be able to have access to the Internet for a number
>>> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
>>> fallback needs to be available to authenticate.
>>> >
>>> > I know some companies have been pushing for voice authentication for
>>> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>>> >
>>> > We need something that works at the lowest common denominator as well,
>>> because as available as the Internet is worldwide, it's not yet at a level
>>> that one would consider "basic access".
>>> >
>>> > Mark.
>>>
>>
>

Can you cite data? Or provide a rational argument other than “they are”?

-mel via cell

On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote:

?
These low-income people are not the targets of identity thieves, spear fishers, or data ransomers.

This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers.



On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Tom,

Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.

-mel


On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

HW tokens are great, sure.

Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. )

I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.

On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk

-mel

On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

?
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection

Lots of people still use feature phones that are not capable of running applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

-mel

> On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa<mailto:mark@tinka.africa>> wrote:
>
> ?
>
>> On 4/18/21 05:18, Mel Beckman wrote:
>>
>> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
>
> Mark.

https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf

https://www.bjs.gov/content/pub/pdf/vit18.pdf




On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel@beckman.org> wrote:

> Can you cite data? Or provide a rational argument other than “they are”?
>
> -mel via cell
>
> On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote:
>
> ?
>
>> These low-income people are not the targets of identity thieves, spear
>> fishers, or data ransomers.
>>
>
> This is patently false. Low-income / disabled / minority / non-english
> speakers are absolutely targets of scams like those, and in
> significant numbers.
>
>
>
> On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org> wrote:
>
>> Tom,
>>
>> Well, yes, not everyone can afford all technology options. That’s life.
>> One has to wonder how someone who needs to protect online accounts cannot
>> afford a $30 hardware token (which can be shared across several accounts).
>> These low-income people are not the targets of identity thieves, spear
>> fishers, or data ransomers. Unlike you, I AM arguing against something: SMS
>> as a 2FA token. In this case I don’t think we have ignored low-income
>> users, for the same reason that home alarm security aren't ignoring
>> low-income users who can’t afford their products. It’s certainly no reason
>> to hobble security for the rest of us.
>>
>> -mel
>>
>>
>> On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>
>> HW tokens are great, sure.
>>
>> Except there is a lot of overlap in the Venn diagram between those who
>> still use feature phones and those that spending $30 on said hardware token
>> is financially obtrusive. ( Not to mention that every hardware token I can
>> remember looking at requires an app to set themselves up in the first
>> place, and if this is for the people who can't install apps, that's an
>> interesting circular dependency. )
>>
>> I'm not arguing for or against anything here honestly. I'm just pointing
>> out that we ( as in the technical community we ) have a tendency to put
>> forward solutions that completely ignore what might be reasonably feasible
>> for those of lower income , or parts of the world not as technologically
>> developed as we might be in ourselves, and we should try to shrink that gap
>> whenever possible, not make it worse.
>>
>> On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:
>>
>>> Then they can buy a hardware token. Using SMS is provably insecure, and
>>> for people being spear-phished (a much more common occurrence now that so
>>> much net worth data has been breached), a huge risk
>>>
>>> -mel
>>>
>>> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>>
>>> ?
>>>
>>>> As far as I know, authenticators on cell phone apps don’t require the
>>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>>> any Internet or cellular connection
>>>>
>>>
>>> Lots of people still use feature phones that are not capable of running
>>> applications such as this.
>>>
>>> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
>>>
>>>> As far as I know, authenticators on cell phone apps don’t require the
>>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>>> any Internet or cellular connection. The authenticated system generates a
>>>> secret key - a unique 16 or 32 character alphanumeric code. This key is
>>>> scanned by GA or can be entered manually and as a result, both the
>>>> authenticated system and GA know the same secret key, and can compute the
>>>> time-based 2nd factor OTP just as hardware tokens do.
>>>>
>>>> There are two algorithms: HOTP and TOTP. The main difference is in OTP
>>>> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
>>>> TOTP times out after some specified interval - usually 30 or 60 seconds.
>>>> For TOTP, the system time must be synced, otherwise the generated OTPs will
>>>> be wrong. But you can get accurate enough clock time without the Internet,
>>>> either manually using some radio source such as WWV, or by GPS or cellular
>>>> system synchronization.
>>>>
>>>> -mel
>>>>
>>>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>>>> >
>>>> > ?
>>>> >
>>>> >> On 4/18/21 05:18, Mel Beckman wrote:
>>>> >>
>>>> >> No, every SMS 2FA should be prohibited by regulatory certifications.
>>>> The telcos had years to secure SMS. They did nothing. The plethora of
>>>> well-secured commercial 2FA authentication tokens, many of them free,
>>>> should be a mandatory replacement for 2FA in every security governance
>>>> regime, such as PCI, financial account access, government web portals, etc.
>>>> >
>>>> > While I agree that SMS is insecure at the moment, I think there still
>>>> needs to be a mechanism that does not rely on the presence of an Internet
>>>> connection. One may not be able to have access to the Internet for a number
>>>> of reasons (traveling, coverage, outage, device, money, e.t.c.), and a
>>>> fallback needs to be available to authenticate.
>>>> >
>>>> > I know some companies have been pushing for voice authentication for
>>>> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>>>> >
>>>> > We need something that works at the lowest common denominator as
>>>> well, because as available as the Internet is worldwide, it's not yet at a
>>>> level that one would consider "basic access".
>>>> >
>>>> > Mark.
>>>>
>>>
>>

I don’t see any data showing that poor people are targets of Account access attacks. Can you point out the specific data you think supports your claim?

-mel via cell

On Apr 19, 2021, at 7:33 AM, Tom Beecher <beecher@beecher.cc> wrote:

?
https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf

https://www.bjs.gov/content/pub/pdf/vit18.pdf




On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Can you cite data? Or provide a rational argument other than “they are”?

-mel via cell

On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote:

?
These low-income people are not the targets of identity thieves, spear fishers, or data ransomers.

This is patently false. Low-income / disabled / minority / non-english speakers are absolutely targets of scams like those, and in significant numbers.



On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Tom,

Well, yes, not everyone can afford all technology options. That’s life. One has to wonder how someone who needs to protect online accounts cannot afford a $30 hardware token (which can be shared across several accounts). These low-income people are not the targets of identity thieves, spear fishers, or data ransomers. Unlike you, I AM arguing against something: SMS as a 2FA token. In this case I don’t think we have ignored low-income users, for the same reason that home alarm security aren't ignoring low-income users who can’t afford their products. It’s certainly no reason to hobble security for the rest of us.

-mel


On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

HW tokens are great, sure.

Except there is a lot of overlap in the Venn diagram between those who still use feature phones and those that spending $30 on said hardware token is financially obtrusive. ( Not to mention that every hardware token I can remember looking at requires an app to set themselves up in the first place, and if this is for the people who can't install apps, that's an interesting circular dependency. )

I'm not arguing for or against anything here honestly. I'm just pointing out that we ( as in the technical community we ) have a tendency to put forward solutions that completely ignore what might be reasonably feasible for those of lower income , or parts of the world not as technologically developed as we might be in ourselves, and we should try to shrink that gap whenever possible, not make it worse.

On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
Then they can buy a hardware token. Using SMS is provably insecure, and for people being spear-phished (a much more common occurrence now that so much net worth data has been breached), a huge risk

-mel

On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc<mailto:beecher@beecher.cc>> wrote:

?
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection

Lots of people still use feature phones that are not capable of running applications such as this.

On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
As far as I know, authenticators on cell phone apps don’t require the Internet. For example, the Google Authenticator mobile app doesn't require any Internet or cellular connection. The authenticated system generates a secret key - a unique 16 or 32 character alphanumeric code. This key is scanned by GA or can be entered manually and as a result, both the authenticated system and GA know the same secret key, and can compute the time-based 2nd factor OTP just as hardware tokens do.

There are two algorithms: HOTP and TOTP. The main difference is in OTP expiration time: with HOTP, the OTP is valid until it hasn’t been used; TOTP times out after some specified interval - usually 30 or 60 seconds. For TOTP, the system time must be synced, otherwise the generated OTPs will be wrong. But you can get accurate enough clock time without the Internet, either manually using some radio source such as WWV, or by GPS or cellular system synchronization.

-mel

> On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa<mailto:mark@tinka.africa>> wrote:
>
> ?
>
>> On 4/18/21 05:18, Mel Beckman wrote:
>>
>> No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
>
> While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
>
> I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>
> We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
>
> Mark.

>
> Can you point out the specific data you think supports your claim?
>

I can, but I'm not going to, because that's not what this side discussion
has been based on.

You said :

These low-income people are not the targets of identity thieves, spear
> fishers, or data ransomers.


I just showed you data that shows they are, but now are trying to move the
goalposts with new quantifiers. I think this discussion has run its course
for me. Take care.

On Mon, Apr 19, 2021 at 10:45 AM Mel Beckman <mel@beckman.org> wrote:

> I don’t see any data showing that poor people are *targets* of Account
> access attacks. Can you point out the specific data you think supports your
> claim?
>
> -mel via cell
>
> On Apr 19, 2021, at 7:33 AM, Tom Beecher <beecher@beecher.cc> wrote:
>
> ?
>
> https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf
>
> https://www.bjs.gov/content/pub/pdf/vit18.pdf
>
>
>
>
> On Mon, Apr 19, 2021 at 10:10 AM Mel Beckman <mel@beckman.org> wrote:
>
>> Can you cite data? Or provide a rational argument other than “they are”?
>>
>> -mel via cell
>>
>> On Apr 19, 2021, at 7:01 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>
>> ?
>>
>>> These low-income people are not the targets of identity thieves, spear
>>> fishers, or data ransomers.
>>>
>>
>> This is patently false. Low-income / disabled / minority / non-english
>> speakers are absolutely targets of scams like those, and in
>> significant numbers.
>>
>>
>>
>> On Mon, Apr 19, 2021 at 9:33 AM Mel Beckman <mel@beckman.org> wrote:
>>
>>> Tom,
>>>
>>> Well, yes, not everyone can afford all technology options. That’s life.
>>> One has to wonder how someone who needs to protect online accounts cannot
>>> afford a $30 hardware token (which can be shared across several accounts).
>>> These low-income people are not the targets of identity thieves, spear
>>> fishers, or data ransomers. Unlike you, I AM arguing against something: SMS
>>> as a 2FA token. In this case I don’t think we have ignored low-income
>>> users, for the same reason that home alarm security aren't ignoring
>>> low-income users who can’t afford their products. It’s certainly no reason
>>> to hobble security for the rest of us.
>>>
>>> -mel
>>>
>>>
>>> On Apr 19, 2021, at 6:07 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>>
>>> HW tokens are great, sure.
>>>
>>> Except there is a lot of overlap in the Venn diagram between those who
>>> still use feature phones and those that spending $30 on said hardware token
>>> is financially obtrusive. ( Not to mention that every hardware token I can
>>> remember looking at requires an app to set themselves up in the first
>>> place, and if this is for the people who can't install apps, that's an
>>> interesting circular dependency. )
>>>
>>> I'm not arguing for or against anything here honestly. I'm just pointing
>>> out that we ( as in the technical community we ) have a tendency to put
>>> forward solutions that completely ignore what might be reasonably feasible
>>> for those of lower income , or parts of the world not as technologically
>>> developed as we might be in ourselves, and we should try to shrink that gap
>>> whenever possible, not make it worse.
>>>
>>> On Mon, Apr 19, 2021 at 8:47 AM Mel Beckman <mel@beckman.org> wrote:
>>>
>>>> Then they can buy a hardware token. Using SMS is provably insecure, and
>>>> for people being spear-phished (a much more common occurrence now that so
>>>> much net worth data has been breached), a huge risk
>>>>
>>>> -mel
>>>>
>>>> On Apr 19, 2021, at 5:44 AM, Tom Beecher <beecher@beecher.cc> wrote:
>>>>
>>>> ?
>>>>
>>>>> As far as I know, authenticators on cell phone apps don’t require the
>>>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>>>> any Internet or cellular connection
>>>>>
>>>>
>>>> Lots of people still use feature phones that are not capable of running
>>>> applications such as this.
>>>>
>>>> On Sun, Apr 18, 2021 at 9:05 AM Mel Beckman <mel@beckman.org> wrote:
>>>>
>>>>> As far as I know, authenticators on cell phone apps don’t require the
>>>>> Internet. For example, the Google Authenticator mobile app doesn't require
>>>>> any Internet or cellular connection. The authenticated system generates a
>>>>> secret key - a unique 16 or 32 character alphanumeric code. This key is
>>>>> scanned by GA or can be entered manually and as a result, both the
>>>>> authenticated system and GA know the same secret key, and can compute the
>>>>> time-based 2nd factor OTP just as hardware tokens do.
>>>>>
>>>>> There are two algorithms: HOTP and TOTP. The main difference is in OTP
>>>>> expiration time: with HOTP, the OTP is valid until it hasn’t been used;
>>>>> TOTP times out after some specified interval - usually 30 or 60 seconds.
>>>>> For TOTP, the system time must be synced, otherwise the generated OTPs will
>>>>> be wrong. But you can get accurate enough clock time without the Internet,
>>>>> either manually using some radio source such as WWV, or by GPS or cellular
>>>>> system synchronization.
>>>>>
>>>>> -mel
>>>>>
>>>>> > On Apr 18, 2021, at 5:46 AM, Mark Tinka <mark@tinka.africa> wrote:
>>>>> >
>>>>> > ?
>>>>> >
>>>>> >> On 4/18/21 05:18, Mel Beckman wrote:
>>>>> >>
>>>>> >> No, every SMS 2FA should be prohibited by regulatory
>>>>> certifications. The telcos had years to secure SMS. They did nothing. The
>>>>> plethora of well-secured commercial 2FA authentication tokens, many of them
>>>>> free, should be a mandatory replacement for 2FA in every security
>>>>> governance regime, such as PCI, financial account access, government web
>>>>> portals, etc.
>>>>> >
>>>>> > While I agree that SMS is insecure at the moment, I think there
>>>>> still needs to be a mechanism that does not rely on the presence of an
>>>>> Internet connection. One may not be able to have access to the Internet for
>>>>> a number of reasons (traveling, coverage, outage, device, money, e.t.c.),
>>>>> and a fallback needs to be available to authenticate.
>>>>> >
>>>>> > I know some companies have been pushing for voice authentication for
>>>>> their services through a phone call, in lieu of SMS or DTMF-based PIN's.
>>>>> >
>>>>> > We need something that works at the lowest common denominator as
>>>>> well, because as available as the Internet is worldwide, it's not yet at a
>>>>> level that one would consider "basic access".
>>>>> >
>>>>> > Mark.
>>>>>
>>>>
>>>

On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
> It's all about convenience, and how much they can get
> done without speaking to human.

Hi Mark,

Convenience is the most important factor in any security scheme. The
user nearly always has a choice, even if the choice is as
rough-grained as "switch to a different company." If your process is
too onerous (the user's notion of onerous) then it simply won't be
used. An effective security scheme is the strongest which can be built
within that boundary.

> If a key fob can be sent to them - preferably for free - that would help.

Hint: carrying around a separate hardware fob for each important
Internet-based service is a non-starter. Users might do it for their
one or two most important services but yours isn't one of them.

Regards,
Bill Herrin

--
William Herrin
bill@herrin.us
https://bill.herrin.us/

An unfortunate fact is that many companies don't support anything other
than sending a token via email, SMS, or sometimes a voice call. I've seen
several large banks, insurers, etc. who do this. It's maddening when you
sign up for access to something and are restricted to these options.

On Mon, Apr 19, 2021 at 11:49 AM William Herrin <bill@herrin.us> wrote:

> On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
> > It's all about convenience, and how much they can get
> > done without speaking to human.
>
> Hi Mark,
>
> Convenience is the most important factor in any security scheme. The
> user nearly always has a choice, even if the choice is as
> rough-grained as "switch to a different company." If your process is
> too onerous (the user's notion of onerous) then it simply won't be
> used. An effective security scheme is the strongest which can be built
> within that boundary.
>
> > If a key fob can be sent to them - preferably for free - that would help.
>
> Hint: carrying around a separate hardware fob for each important
> Internet-based service is a non-starter. Users might do it for their
> one or two most important services but yours isn't one of them.
>
> Regards,
> Bill Herrin
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>

The goal of U2F is one key fob that works on many services. Implementation is pretty simple and the hardware is inexpensive.


Sent from my iPhone

> On Apr 19, 2021, at 08:51, William Herrin <bill@herrin.us> wrote:
>
> ?On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
>> It's all about convenience, and how much they can get
>> done without speaking to human.
>
> Hi Mark,
>
> Convenience is the most important factor in any security scheme. The
> user nearly always has a choice, even if the choice is as
> rough-grained as "switch to a different company." If your process is
> too onerous (the user's notion of onerous) then it simply won't be
> used. An effective security scheme is the strongest which can be built
> within that boundary.
>
>> If a key fob can be sent to them - preferably for free - that would help.
>
> Hint: carrying around a separate hardware fob for each important
> Internet-based service is a non-starter. Users might do it for their
> one or two most important services but yours isn't one of them.
>
> Regards,
> Bill Herrin
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/

It appears that William Herrin <bill@herrin.us> said:
>> If a key fob can be sent to them - preferably for free - that would help.
>
>Hint: carrying around a separate hardware fob for each important
>Internet-based service is a non-starter. Users might do it for their
>one or two most important services but yours isn't one of them.

You think?

https://obvious.services.net/2013/07/better-have-big-pockets-if-you-want.html

R's,
John

On 4/19/21 17:48, William Herrin wrote:

> Convenience is the most important factor in any security scheme.

But often not at the top of the implementation priority list.


> Hint: carrying around a separate hardware fob for each important
> Internet-based service is a non-starter. Users might do it for their
> one or two most important services but yours isn't one of them.

You make my point for me.

Mark.

Can I make an old f*** comment on all this?

We didn't design this network to be highly secure.

It's general enough that security can be layered on at various places.

But when you get down to it it was mostly designed to get information
flowing easy, fast, and freely. Not to lock it down or provide strong
accountability, authorization, and authentication.

Look at RFCs prior to about 1990, security's hardly considered beyond
an occasional login/password scheme or MITM packet injection.

It was designed to be very cheap to implement and deploy at least in
part because it was designed and implemented on frugal academic
budgets.

And to share those implementations or roll your own because the specs
(RFCs etc) were published free.

Then people, corporations by and large, came along and realized they
could use the net to make many zillions of dollars if only it were
secure.

IF...ONLY!

Did anyone promise them that?

And no one ever really figured out how to make it secure beyond some
superficial attempts like adopting login/passwords, wire encryption
(SSL etc.), 2FA, MITM avoidance, etc. none of which were really part
of some well thought out, engineered scheme. Just some new doo-dad to
toss on hoping that maybe this will be good enough. It wasn't.

Now, when their sites are compromised, when they lose gazillions of
dollars to ransomware, when 100M records walk out the door, whatever,
they put on the big sad face and imply they were let down and *they*,
someone else, some gearheads, need to try harder. They're terribly,
terribly disappointed.

What a great con job, try to shame someone else into solving your
problems for you basically for free.

If they want to protect trillions of dollars in assets maybe they need
to toss in a few billion to help, and stop hoping some bad press for
the technical community will shame some geniuses into dreaming up
better security for them mostly for free in terms of research and
specs and acceptance but that's the hard part.

You know what the net did successfully produce, over and over? Some of
the wealthiest individuals and corporations etc in the history of
civilization. Maybe the profit margins were a little too high and now
we're paying the price, or someone is.

It's like my aged, now gone, adviser who'd worked in software going
back to the 50s said about the Y2K problem at that time: It's not that
we couldn't anticipate Y2K problems. It's that we never dreamed the
cheap bastards would still be running the same exact software without
any updates or review for forty years!

--
-Barry Shein

Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
The World: Since 1989 | A Public Information Utility | *oo*

On 4/19/21 15:33, Mel Beckman wrote:

> Tom,
>
> Well, yes, not everyone can afford all technology options. That’s
> life. One has to wonder how someone who needs to protect online
> accounts cannot afford a $30 hardware token (which can be shared
> across several accounts). These low-income people are not the targets
> of identity thieves, spear fishers, or data ransomers. Unlike you, I
> AM arguing against something: SMS as a 2FA token. In this case I don’t
> think we have ignored low-income users, for the same reason that home
> alarm security aren't ignoring low-income users who can’t afford their
> products. It’s certainly no reason to hobble security for the rest of us.

Hmmh, I'm not quite sure that is accurate. Low-income folk will
certainly have a mobile service, even though they might not have enough
to buy a security alarm once the rent is paid.

Take finance, for example, in places like East Africa, they folk are
lucky that they don't need a bank account to either put money away or
transact for everyday needs. In other countries that don't have this
(mobile money), low-income folk who earn a living will have a bank
account, and even that one will come with some kind of online access.

The issue isn't so much the product. The issue is that mobile services
are so basic and fundamental, everybody, regardless of their financial
position, will have one. The stats say that as of 2020, of the number of
users around the world using mobile phones, only 46% of them are "smart".

Mark.

On 4/19/21 16:10, Mel Beckman wrote:

> Can you cite data? Or provide a rational argument other than “they are”?

https://www.businessinsider.co.za/whatsapp-scam-asking-for-money-after-number-port-2020-1
https://www.sowetanlive.co.za/news/south-africa/2020-01-06-beware-south-africans-are-falling-victim-to-cellphone-porting-scam/
https://www.news24.com/fin24/companies/financial-services/just-hang-up-consumer-group-warns-of-phone-scams-20190620

This is a country full of low-income (or blatantly unemployed) citizens.

Mark.

On 4/20/21 01:46, bzs@theworld.com wrote:

> If they want to protect trillions of dollars in assets maybe they need
> to toss in a few billion to help, and stop hoping some bad press for
> the technical community will shame some geniuses into dreaming up
> better security for them mostly for free in terms of research and
> specs and acceptance but that's the hard part.
>
> You know what the net did successfully produce, over and over? Some of
> the wealthiest individuals and corporations etc in the history of
> civilization. Maybe the profit margins were a little too high and now
> we're paying the price, or someone is.
>

For the most part, services that (want to) rely on security are
providing their own security solutions. But they are bespoke, and each
one is designing and pushing out their own solution in their own silo.
So users have to contend with a multitude of security ideas that each of
the services they consume come up with. Standardization, here, would go
a long way in fixing much of this, but what's the incentive for them to
all work together, when "better security" is one of their selling points?

If, "magically", the Internet community came up with a solution that one
felt is fairly standard, we've seen how well that would be adopted, a la
DNSSEC, DANE and RPKI.

At the very least, the discussions need to be had; but not as separate
streams. Internet folk. Mobile folk. Telco folk. Service folk.

Mark.

Shop with your feet if security is weak. I changed banks because of SMS 2FA.

-mel via cell

On Apr 20, 2021, at 9:06 AM, Mike <craigslist4md@gmail.com> wrote:

?
An unfortunate fact is that many companies don't support anything other than sending a token via email, SMS, or sometimes a voice call. I've seen several large banks, insurers, etc. who do this. It's maddening when you sign up for access to something and are restricted to these options.

On Mon, Apr 19, 2021 at 11:49 AM William Herrin <bill@herrin.us<mailto:bill@herrin.us>> wrote:
On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:
> It's all about convenience, and how much they can get
> done without speaking to human.

Hi Mark,

Convenience is the most important factor in any security scheme. The
user nearly always has a choice, even if the choice is as
rough-grained as "switch to a different company." If your process is
too onerous (the user's notion of onerous) then it simply won't be
used. An effective security scheme is the strongest which can be built
within that boundary.

> If a key fob can be sent to them - preferably for free - that would help.

Hint: carrying around a separate hardware fob for each important
Internet-based service is a non-starter. Users might do it for their
one or two most important services but yours isn't one of them.

Regards,
Bill Herrin

--
William Herrin
bill@herrin.us<mailto:bill@herrin.us>
https://bill.herrin.us/

Something which binds them together are their insurance underwriters
who generally want to set minimum requirements without having to
review home-brewed security schemes. They want buzzwords and acronyms
to put onto checklists.

Others would be courts (e.g., when lawsuits arise) and government and
other contractors who, similarly, don't want to have to evaluate
beyond checklists of accepted industry practices.

And a major value of standardized practices is precisely so they don't
become competitive advantages particularly by their omission.

It's one reason, for example, car manufacturers are ok with something
like requiring seat belts or air bags, or in many industries
environmental regs, precisely so a competitor can't lower their costs
(and likely prices) by omitting them. Everyone has to have them and up
to some standard, compete on something else.

Perhaps if we began referring to a lot of this as "safety" rather than
"security" that would sink in.

On April 20, 2021 at 06:59 mark@tinka.africa (Mark Tinka) wrote:
>
>
> On 4/20/21 01:46, bzs@theworld.com wrote:
>
> > If they want to protect trillions of dollars in assets maybe they need
> > to toss in a few billion to help, and stop hoping some bad press for
> > the technical community will shame some geniuses into dreaming up
> > better security for them mostly for free in terms of research and
> > specs and acceptance but that's the hard part.
> >
> > You know what the net did successfully produce, over and over? Some of
> > the wealthiest individuals and corporations etc in the history of
> > civilization. Maybe the profit margins were a little too high and now
> > we're paying the price, or someone is.
> >
>
> For the most part, services that (want to) rely on security are
> providing their own security solutions. But they are bespoke, and each
> one is designing and pushing out their own solution in their own silo.
> So users have to contend with a multitude of security ideas that each of
> the services they consume come up with. Standardization, here, would go
> a long way in fixing much of this, but what's the incentive for them to
> all work together, when "better security" is one of their selling points?
>
> If, "magically", the Internet community came up with a solution that one
> felt is fairly standard, we've seen how well that would be adopted, a la
> DNSSEC, DANE and RPKI.
>
> At the very least, the discussions need to be had; but not as separate
> streams. Internet folk. Mobile folk. Telco folk. Service folk.
>
> Mark.

--
-Barry Shein

Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
The World: Since 1989 | A Public Information Utility | *oo*