One of the best things any computer security professional can do to further their career is to recognize that most people don’t really care that much about computer security. Few popular products sell because of security. Security absolutely doesn’t matter in most cases — until, of course, when it matters very much during a big hacking event. Most companies and their customers are very happy with the absolute least amount of security that has minimal impact on them. That’s just our computer security life. You must learn to operate within the confines of that social agreement.
Case in point: One of my most popular talks has been “The 12 Ways to Hack 2FA”. I’ve given the talk dozens of times. The key lessons are that multi-factor authentication (MFA) is good, but any MFA solution can be hacked. To that end, the current version of my talk now covers 18 ways to hack an MFA solution.
After every talk, at least one MFA vendor comes up to me to explain how their great solution fixes all those problems. Within a few minutes, I show them how five or seven of the attack types would easily work against their product. They usually go limping home.
Some vendors don’t give up. They come back to me with improved, five-factor (if there is such a thing) versions that do get rid of most of the attack channels. I’ve even come across a few that are really, really secure (but still not unhackable). They still walk away with a frown when I tell them that it’s unlikely that anyone will buy, much less use their product.
No customer is going to want to use an authentication solution that involves more than a few factors of authentication. Most want to do the very least to provide assurance to themselves with the least amount of “friction” for the customer. Companies know that anything that gets in the way of a customer using their product as seamlessly as possible is making them hemorrhage customers in a very real way.