I lead Security in a quite large bank. I love this article, I’ve been advocating for this line of thoughts for more time that I can remember.
I have spoken to regulators hundreds of times, over this and a bunch other security topics that are definitely obsolete. Security policies that just don’t make sense…
The most important thing for this kind of things to advance is to have the correct people in the correct places, and usually in this positions you have dinosaurs…
In most of my banks in Europe, all but one, I cannot log without using an actual physical 2FA device the bank sent me. One of them, Deutsche Bank, sent me a specific hardware 2FA which works "by itself" (and is protected by a PIN). No password to log in: only the user account ID and that 2FA device.
The others require my Java SmartCard / national ID card to be inserted in a 2FA reader they sent me (it's a standalone reader with its own display: it is not a Java SmartCard reader hooked to the computer).
Do you guys hand out your customers physical 2FA devices?
Not anymore, we used to do that and maybe a bunch of customers still have that device to log in, but we have been replacing them (the “hard token”) with a “soft token”, kind of a Google Authenticator linked to your mobile.
It is interesting how “yubi”things have moved in the opposite direction (back to the physical device) and it has its value, after all, leaving your home with all your savings in your pocket is a risk we need to address.
I have spoken to regulators hundreds of times, over this and a bunch other security topics that are definitely obsolete. Security policies that just don’t make sense…
The most important thing for this kind of things to advance is to have the correct people in the correct places, and usually in this positions you have dinosaurs…