Everyone wants there to be simple answers in security, but sometimes there are no simple answers.
-
-
Replying to @taviso @haroonmeer
On the flip side, sometimes there are really simple answers that can address low hanging fruit. They just don’t feel as sexy. Example the comes to mind, 2FA.
3 replies 0 retweets 4 likes -
Replying to @justinmberman @haroonmeer
Even then, it's not that simple. For example, SMS-2FA is basically worthless. U2F on the other hand, while not a panacea, is fantastic if implemented correctly.
1 reply 0 retweets 3 likes -
Replying to @taviso @haroonmeer
I agree that you still have to do technical diligence in order to select a control, but U2F is pretty straightforward now? Either way, just implementing SOME 2FA meaningfully reduces a lot of risks.
1 reply 0 retweets 0 likes -
Replying to @justinmberman @haroonmeer
I think we're on the same page about U2F, but if by "SOME 2FA" you mean "ANY 2FA", then I don't think we agree. Would you argue that SMS-2FA is better than nothing? If so, that's where we differ. I think it's at best, equal to nothing.
1 reply 0 retweets 1 like -
Replying to @taviso @haroonmeer
Does the adversary set matter here? If you as a small company who models their adversaries as mostly using phishing to grab creds to Corp saas systems, they probably aren’t going to invest to be able to bypass SMS-2FA?
1 reply 0 retweets 0 likes
Yes, I agree that a rational attacker will calculate the cost of updating his PHP vs the expected increase in victim yield and *could* find it's not worth it. That's also true of making users type "banana" into a form field, which adds about as much security IMO 
-
-
We've already established that the attacker has the capability of stealing passwords, so any solution that involves giving the user more passwords is fundamentally flawed imo.
0 replies 0 retweets 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.