Kevlin HenneyMar 7
Kevlin Henney

A lot of security is based on trust. Trust relies on competence. The security theatre I get from a lot of sites and apps, sometimes elaborated through MFA, does not inspire such trust.

That device you tell me is unrecognised? It's the one I've used to access the app every day for at least the last year.

If you want to convince me your app is secure, start with competence. Poorly engineered products don't do that. KPI-driven product staff don't do that.

Mar 6 at 9:21amWeb
Show threadDan HugoMar 7

@kevlin

Isn’t there a push toward zero trust security?

Also, whatever happened to client side certs? Too cumbersome, I suppose, and I guess there is an argument that passkeys are a light weight take on this, sort of, but…

In the age of wacky age verification and voter identification rules and laws, all of this is suddenly super-interesting. Again. As it should be.

Show threadKevlin HenneyMar 7
@danhugo Security is fundamentally based on systems of trust. The term zero-trust security is, in its most literal sense, an oxymoron.
Show threadDan HugoMar 7

@kevlin

Not disagreeing, but there seems to be a dramatic diversity of opinion about a lot of things in this general area. Not all of them make sense.

I do think the age verification issue, and the bad legal ideas around it, will be an opportunity. A price-of-eggs analog, perhaps…