Two Factor Fuckery

We were recently forced to adopt two-factor authentication (2FA) to access our university accounts, including our email. I am in favor of security, so I was willing to try it out (though it was not optional). I use it for banking and find it an inconvenience there, but I can live with it because I use it infrequently and the consequences of having my finances hacked are horrific to contemplate.

Knowing it would be a pain, I didn’t opt in. On the day the university forced us to use 2FA, it took me over an hour to get into email. Guess what? At this esteemed institution of higher learning their directions for how to get 2FA to work—didn’t work for me. I was finally able to stumble out of this nightmare of a maze and get into my email, but I was late for a Zoom meeting as a consequence.

My wants are simple. I want to be able to stand naked in front of my computer and be able to convince it that I am me. Okay, maybe not just once with a password, which has been perfectly adequate for the university for about 25 years, but let’s agree that for security best practices there needs to be a second check—a special dance step, the name of my mother’s first pet, the capital of Djibouti. You get the idea—some second layer of security that’s an idiosyncratic bit of knowledge that I have but that no hacker is every likely to guess the answer to (well, the last one is probably too simple, but it is easy to remember). I don’t want to have to remember to bring along something that I don’t usually carry. But that’s the exclusive method of two-factor authentication our paragon of advanced learning has chosen to implement. So while I agree that two-factor authentication is best practice, we need to have a wider range of options to provide that second identity proof. Because I am having to log in all the fucking time on different computers in different places to different parts of the university’s online system. And guess what? The penalty for someone hacking into my account is really small change, given the little I am able to do in those systems. And it’s not like I’m careless. So far, I have never been hacked.

So guess what I am doing? I am using worst practices to get around this truly heinous obstacle. I am leaving everything open and not logging out when I walk away. That’s really stupid, I know. Super insecure. But guess what? It’s saved my bacon already more than once when I don’t have my phone and need to do something like send an email or make a Zoom meeting on a tight deadline. They have an auto-logout system in place that eventually closes you out, but even that is a dumb system, sometimes logging you out right after you’ve engaged in legitimate, normal activities there. So multiple times a day I am sitting there with my phone by the computer I am using at the moment. And I have a shitty phone that makes this a pain. (I often can’t answer it on time, but that’s another issue. I think I need a new phone.) So in my view, my security has actually decreased because of poor institutional implementation of what on the surface seems like a reasonable precaution. This just adds to an already high set of barriers preventing us from getting our work done efficiently. It should not be harder to get into my work accounts than into my bank account.

So I’ve been doing my part and more for security, yet I can’t tell you how many supposedly secure databases have been hacked and all of my information (and that of millions of others) taken. I get emails about it routinely. I’ve even gotten free membership to one of these vault-like guardians of privacy and freedom (that it always seems painful to get into) that tells you if your information has been nefariously used. At least it sends me an email to alert me that there is new information there, so I know it’s worth logging in because it thinks something is up. I get this cryptic “Review Your Identity Record Notification” email without any useful details that I then ignore for months until I get around to figuring out how to get into that system again. And in more than five years of this, I’ve had just one useful notice that one of my accounts had been hacked (I get many other notices, but usually there is no discernible source, just a vague sort of “Look! We found your email in use on the internet, but we don’t really know where!”). The one marginally useful notice was for a software system that itself had been hacked, and it was a shitty online site, and whoever broke into my account there wouldn’t have been able to kill a fly, so whoop-de-doo. Anyway, fun story, this little cul-de-sac is the result of state-sponsored Chinese hackers stealing millions of records from the U.S. government’s Orifice of Personnel Management. There’s even a Wikipedia site about it.

In doing my due diligence to be sure my memory and impressions are correct as I freely rant, I just spent fifteen minutes getting back into that security vault account and see that things are still as I remember them. Except there’s another feature there that I did not remember (probably because these don’t trigger an email). Sex offender monitoring. It wasn’t a feature I had an option on, it’s just there, but this software tells me when a registered sex offender moves into the neighborhood, with a name and address. I am surprised at how often this happens, judging from the logged scans (it’s an expanded neighborhood, and this is serious issue in Alaska). Good times. The bunny trails one gets down.

My rage against stupid security measures goes on. I often buy books on the internet using my credit card. But more than half the time I do so I get a lock on the transaction and a notice that “We’ve noticed some unusual activity on your credit card.” These can come by phone and email, and I’ve come to have both ready whenever I make such a purchase to assure them that, yes, this is me, I do this all the time, and if your system had even rudimentary pattern recognition software you would know a) that I make purchases like this all the time, and b) we’ve had this same discussion more than half of those times. Don’t get me wrong, I like that they are monitoring my credit card activity so closely so that it’s not being used by someone else. But the system should recognize what, for me, are very typical purchases.

The last time this happened, a helpful email popped up: “Security Alert: Unusual credit card activity detected,” and it had a convenient summary of the activity and a wonderful blue button saying “YES, I recognize all of these transactions.” There was of course a NO button, too, but I joyfully pressed the blue button—and a new tab popped up to tell me that “Our systems are down at present, please call 1-800-your-business-is-really-impotent-to-us,” or some such. No problem, my phone is right here anyway, so I dial the number—and it tells me that “All our systems are down at present.”

And I lose it. “NOT THE ONE THAT’S STOPPING MY CREDIT CARD!! I ONLY WANT TO BUY A FUCKING BOOK!!!!”

So while I am not eager to see Skynet, armageddon, etc. arise as we tinker with artificial intelligence (AI), I am eager to see sufficient improvements that these tools begin to make life easier rather than harder. (I was, however, struck this week by a story in the news relating how self-driving cars—which require wickedly complicated AI—have been showing some really weird behavior in San Francisco, and that they have trouble with puddles and left turns. That cheered me up immensely. No matter how shitty a day I’ve had, I’ll now have that go-to pick-me-up with which to pat myself on the back: at least you had no problems with puddles or left turns. We must celebrate the small things.)

So if you see a rather cranky somewhat older man acting crazy, with blood shooting out of his eyes and ranting about not being able to do something important on his computer, please greet me with sympathy and compassion.

(dreamstime.com)

3 thoughts on “Two Factor Fuckery

  1. John H Rappole

    It’s time for you to retire, Kevin, so that you can focus on the things that really matter in life – like speciation!

    LOL,

    John

    1. kwinker Post author

      I worry about all the time I’d have to rant, and all the worthy topics to rant about.

Comments are closed.