You're Insecure, Don't Know What For

June 01, 2024

The software industry’s approach to security is broken. Among professionals there is a lack of consensus on best practices. Adoption of innovations is slow, uneven, and poorly executed. The regulatory and compliance framework around security involves large amounts of labor by businesses and practices that are hostile to end users. Despite all the effort that goes into security, it fails and fails often.

User Experience is the Biggest Barrier to Good Security

In an effort to improve my own personal security posture and experiment with the current state of the technology I picked up two Yubikey 5C NFC modules from Yubico. This is the gold standard of security but has quite a learning curve. A Yubikey 5C NFC has seven different security functions within it, and can require up to ten separate PIN codes to fully utilize. The recommended usage of this device requires enrolling two security keys to every account you own so you have a backup if the primary one fails, is lost, or stolen.

The most painful aspect of this is demonstrated by this multi-step process for adding a Passkey to GitHub:

This is less painful in Google Chrome which seems to have its own mechanism for accessing the Yubikey and will even respect the idea that your passkey’s PIN has already been entered on the machine with another application.

Bad UX can be mitigated with good documentation, but unfortunately Yubico’s “getting started” setup documentation is outdated with recommendations to use an older “Yubikey Manager” software instead of the better Yubico Authenticator app.

In a perfect world you would plug in your Yubikey, enter your PIN, and then when you go to a website you would use the ability of a Passkey to “one touch login” by tapping the Yubikey’s touch sensor. No need to remember usernames or passwords, or go through multiple screens. This is technically possible, but nobody has implemented this yet.

You can put in all the effort to secure your accounts but in an effort to prevent you from being locked out of your account software developers often let you recover access with a “security question” which might be easier to guess than your password. Or they might send a one time code or link to your email address to let you login. They might allow access from less secure second factors like SMS or a link in their phone app. These allowances probably prevent customer service challenges, but render the use of Passkey or Security Kay moot.

The Industries with the Strictest Security Needs and Regulations Have Yet to Adopt the Best Technologies

While my e-email and iCloud accounts are well protected by my new security keys, my bank and health portals are not. There is something ironic about my healthcare provider claiming sending personal health information to my e-mail is not “secure” but then requiring me to login to their proprietary portal with less stringent security protection and standards.

The Impact

Want to get posts like this in your email?

This work by Matt Zagaja is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.