Year: 2016

Invisible Identity, or How to Delight People & Secure Users

So I waited patiently for the folks at the Cloud Identity Summit to publish on their Youtube channel the talk I gave earlier this year on Invisible Identity. But it never came. Turns out that a few session recordings got messed up, and unfortunately mine was among them. I sense Paul Madsen’s hand in this.

Doing 2FA Better Could Mean Using Social Factors

In my last post regarding weaknesses in how 2FA is implemented in the systems we rely on to secure us, I teased a thought that had occurred to me in going through the analysis I presented in the post. As usual, life intervened to distract me, but this recent post by Coinbase sharing their experience of

Doing 2FA Correctly Requires More Than 2 Factors

Two Factor Authentication (or 2FA) has been in the news a lot recently. There was the kerfuffle over NIST putting into their update of 800-63 that SMS-based 2FA is insufficiently secure and should be deprecated (something most security experts agree on). That update (still in draft) came too late for the Social Security Administration (SSA),

Privacy in the World of Invisible Identity

In part 1 of my blog post expanding on my Cloud Identity Summit talk on Invisible Identity, I proposed ‘The 4 Core Principles of Invisible Identity‘ that ensure that security and usability stay in a symbiotic partnership for an organization. I believe that adopting the concept of Invisible Identity will be vital to securing people in the

The 4 Core Principles of Invisible Identity

The Cloud Identity Summit is underway here in New Orleans, and it’s off to a great start. The organizers have done a wonderful job again, and with so much great content, the hardest thing is choosing which of the many interesting talks to go to. My talk is already done (it’s oddly liberating to not

Identity at the Nexus of Security and Usability

If you’ve followed my last few blog posts, you may have noticed the topic of usability in security pop up quite a bit. I’ve said in the past that usability issues in security should be considered vulnerabilities, because they create attack vectors in the form of user errors, exploits and workarounds. The idea was captured in this slide I presented

How Not To Enhance Your Customers Security

RSA Conference is a little too big to be manageable any more. But a quick glance at the companies showing up at the 2016 edition and at the session topics is always a good indicator of current trends. And so it is with a mix of interest and disappointment that I take in the (long) list

That Time Enabling Two-Factor Authentication Made Me Feel Worse

I’ve been an account holder at a fairly prominent online brokerage for a while now. Been using it without hiccup for years. The movement in the stock market early in the year prompted me to log in to check on a few things (I know, I know. I swear I’m not that guy). While there, I decided