Adding “your certificate provider discovers they messed up and gives you 24 hours to replace all of your certificates” to my list of tabletop scenarios.

https://www.theregister.com/2024/07/31/digicert_certificates_extension/

For the love of all things holy: I know the idea that 'passwords are dead' is a hip and trendy UX idea, but the reality is far from this.

I am currently dealing with a platform that I need to use daily, that doesn't and it is the pits.

To login, its a 6 six digit pin sent to a plain text email every time your session expires. This pin lasts 10 minutes. Another 6 digit pin for MFA, this time from your authenticator of choice.

In principle this is somewhat sound, although arguably, whatever APT has compromised my email account without me knowing it, has logged in and has a full days access, in this model. That or my hypothetically abusive significant other, or other miscellaneous stalker with physical access to my device.

The usability problem is far less exotic though, I am just a busy, time blind, person.

I go to the platform, start the login process, get sideswiped by 17 slack notifications. The email with the pin now is expired, but I have no idea, to me, 30 seconds flew by (it was really 15 minutes)

This would all be so much simpler if I could just use my password manager of choice.

Seriously, what is so wrong with something I know?

Every now and again, when I have additional sources of intelligence, I see an audit report for a company that just makes me question how awake the auditors really were.

Related: if you can't confirm the SOC II report you are looking at came from a legit audit company, is it really a SOC II report?

“If an attacker gets on my server then we got worse problems” is always the cop out to small incremental improvements to your security posture.

Yes the boundary is a priority, no we shouldn’t focus solely on the boundary.

If you don’t have time to fix it, just say you don’t have time, and we can go about fixing that issue instead.