I’m really pleased to share that today, AWS announced we’ll begin requiring the use of MFA in 2024, beginning with the most privileged accounts in our customer environments - the management account root users of AWS Organizations - and expanding throughout 2024.

MFA and strong authentication are so critical, so foundational to security health. It’s increasingly obvious that as digital identity evolves, everyone, everywhere should be using some form of MFA - and if that’s phishing-resistant authentication like #FIDO all the better. As an identity practitioner and as a consumer impacted by the security choices of the companies I do business with, I hope we will continue to see a growing number of companies emphasizing - and yes, requiring - MFA, because it makes a better internet for all of us.

On a personal note: I’ve been at Amazon for ~11 years now, which means I have a pretty big sample size to compare to when I say this is the happiest, most gratifying working day of my life.

https://aws.amazon.com/blogs/security/security-by-design-aws-to-enhance-mfa-requirements-in-2024/

People sometimes ask me what I learned while earning my degrees in political science that benefits my career in cybersecurity. The answer is “many things”, but there’s often surprise when I reply with something about writing and forming arguments as one of my top three. But, learning to write strategically and with clarity of purpose is one of the single most useful skills I’ve ever developed; it may also be the one I spend the most time coaching even senior staff on, because it’s deceptively difficult to master.

Think critically about who you’re writing for (and how they think about problems), how to break down complex topics to the right level of detail, and how to order that information into a cohesive narrative arc - all before you start dropping sentences on paper. This makes makes the difference between getting to common understanding, and spending an hour of discussion clarifying whatever underlying message you’re really trying to communicate.

Calling all identity peeps 📢 there’s a couple days left to submit sessions for #identiverse. If you’re not sure if you should submit, it’s a “yes” - and we’re especially interested in hearing from new speakers and folks from underrepresented communities.

Call for proposals here, due Friday:

https://www.abstractscorecard.com/cfp/submit/login.asp?EventKey=RDBGWULG

I don’t get too worked up about people misspelling my name. It’s a constant. …but what *does* annoy me a little is when people call me the wrong name entirely, in writing, repeatedly.

Some “nicknames” I have been given this year:

“Ariel” (?!?)
“Ann/Anna”
“Karen” (no, they weren’t being cheeky 😜)
“Arin”

You had to write my name correctly to email me in the first place, how does this happen? 😩

This #nyt #privacy op-ed about Signal and privacy as ideology is one big bad take, but there is a line here that we should be taking very seriously:

“Whether law enforcement should tap our phones on the condition that a warrant is obtained is, at the very least, worthy of public discussion. Signal has unilaterally decided for us all.”

These conversations are starting to, and will happen. Many of us feel strongly about the answer to that question. But, I feel like I haven’t seen a common response that articulates that answer in a way that will be meaningful to a public and to a Congress that - with the help of articles like these and the FBI - will be on its way to viewing E2E as a technological bogeyman.

Comparisons to surveilling people’s private homes don’t quite hit the mark, given the scaling power and discoverability of online communities. It’s hard to draw an equal comparison simply because digital communication is only loosely analogous to any other concept in our history. The other common approach - conversations about why E2E works as it does, and that “back doors” for some jeopardize the security of all quickly become too dense and abstract to be useful to the public.

If we want to be successful in codifying privacy as a human right, not only in preserving E2E but other applications like advertising, we as individuals need to invest a lot more in how we tell the story and relate it to the public in a compelling, understandable manner.

Article:
https://www.nytimes.com/2022/12/28/opinion/jack-dorseys-twitter-signal-privacy.html?smid=nytcore-ios-share&referringSource=articleShare