Yesterday Vanguard, despite having two security keys enabled with their account, randomly forced me to enable a less secure factor on my account with them. Later that day Facebook would not let me login using the “Security Key” button on their iPad app and instead required me to approve my login using another logged in Facebook instance from my mobile phone. Even these large allegedly smart companies fail a basic security maxim that any method that is less secure than your most secure factor lowers the security of your account and opens a new attack vector.
The Problem with Security Policies and Consultants
Security is treated as a compliance function and as a result rules are made and audited by non-technical experts. While they may develop expertise in their rules and general concepts, they do not have a full understanding of the systems they are securing and how the security mechanisms work. Additionally it is tough to argue against frivolous measures and poor implementations when the other side can frame you as being against security. This is rarely a good place to be.