Why it is (sometimes) ok to shoot yourself in the foot

I got this link on a list earlier today: Facebook (2 step authentication) fail !

I totally disagree with almost all the assumptions and conclusions of that post. The only bit I can sort-of agree with is that maybe, just maybe it is not a good idea to allow you to opt out of security without proving your identity with a higher level of assurance but I can also totally grok why FB is doing it this way. The reason is spelled “support costs”.

The fundamental mistake of the post is this: The author assumes that strong(er) authentication (eg 2-factor) should be at the discretion of the site owner.

As content owner (my facebook page, my crap) in this case, I carry most of the risk associated with protecting my data. It is therefore totally fine to let me bypass security if I want to – up to a point.

At some point FB assumes some basic level of risk and responsibility which is why they won’t let me create an account without a password.

If this were a bank the border between personal risk and site-owner risk would shift – in part because the law mandates a higher level of responsibility on the part of the bank than in the case of FB.

Higher level-of-assurance/protection is successfully introduced for one of two reasons:

  • the user values his/her data (cf blizzard tokens)
  • “the man” (eg the government) tells you how it must be

Luckily FB isn’t “the man” – at least not yet – and isn’t in a position to force users into valuing their data above a level that is minimally accepted by most users.

This is the reason strong authentication almost always fails when faced with reality: most of us security nerds don’t share the same gut-reaction with respect to data value than most “normal” users and therefore we are willing to accept a higher degree of hassle when it comes to protecting that data.

This brings me back to the fundamental point: the cost of introducing strong authentication is not in tokens, provisioning or identity proofing. Most of the cost is in support. The simple truth is that most ways we have devised to improve security of the authentication step in any protocol suck from a UI perspective. Fundamentally all such measures (be it SMS codes, OTP tokens or so called “smart” cards) all introduce extra steps in the login process. This means that they are seen by the user as an obstacle that he/she must overcome before they can get at whatever content they were going for.

Incidentally this is related to click-through terms-of-use dialogs but that is another story and another blogpost.

It is worth noting (as I usually try to do when this topic comes up in conversation) that some of the most successful deployments of 2-factor tokens are in the gaming industry and I firmly believe that in these cases the user values their data sufficiently much to accept the additional obstacles imposed by stronger authentication.

I also firmly believe that anyone who can design a truly user-friendly strong authentication mechanism would get rich pretty fast and would do a great service to the Internet.


Filed under Uncategorized

8 Responses to Why it is (sometimes) ok to shoot yourself in the foot

    • Well said :-) I still think you’re missing the point though. If I – the owner of my FB page – decide I want that extra layer of security then I can turn it on and consistently use it. As I said in my post the point I’m willing to cede is that you probably shouldn’t allow the user to turn off 2factor once you’ve turned on 2factor and I believe this is the case for FB.

      • The problem is not being able to turn it off the fact is the code should have been required first before turning this option off. The 2 step stops hackers that have got your FB password from logging in but if they can turn it off just as easy as i could then whats the point?
        Anyways FB fails :)

        • On that point I agree.

          A friend of mine pointed out that the example might be due to a grace-period FB introduced that allows the user to try 2factor. During the grace-period you can turn it off “from the outside”.

          I don’t want to stand in front of FB in any way but I know the size and complexity of the support-problem they and other large sites (eg Google) have when introducing changes to their authentication flows.

      • On that note, I agree with you.
        As Chris already pointed out, if they had the option to disable it – after you log in, it wouldn’t be an issue.

        In my opinion, I think they implemented this feature for a false sense of security. I think they will fix it, eventually.

  1. FB security

    Facebook: Please identify yourself.
    Me: tapity tap
    Facebook: We can’t be sure the you are who you say you are, please, provide a second step.
    Me: Sorry, I didn’t snatch the phone off the victim, just got his password, let me in anyway.
    Facebook: Ok, here you go.
    Me: kthxbye.
    Yeah, security…