
Account Security – A Divided User Perception - ebursztein
https://www.elie.net/blog/security/account-security-a-divided-user-perception
======
doctorpangloss
> On the hardware token side, security keys are still quite expensive

I don't know Elie, a lot of valuable users have iPhones with a great biometric
secure enclave implementation. I know you've heard of it--it's like CAPTCHA,
except the end user is real (not some tasker) and generates 1,000x more value
for the security integrator. It's not the end user's fault Android sucks in
this regard.

If Google wanted to, it could extend the IMAP protocol, work with Apple, and
make it happen--two factor for everyone. It could also provide Exchange and
push too, for free, like it used to, for everyone, but I don't know what
happened with that either.

Along with a bunch of other people, Google contributed to Let's Encrypt, a
product of the ISRG, by giving ISRG a bunch of money and basically saying, in
a determination made by a business person (not a security analyst) in an
afternoon, "Okay, the world can have free certificates now, Chrome will be
okay with this." That determination, which may have literally taken minutes by
some executive to make, has done more for HTTPS adoption than any study or
Chrome feature. I'd use that as a model for what you could do to improve
security of the end user.

If Gmail isn't interested in improving practical security--if its product
managers are narrowly focused on adoption of the iOS app, for tracking
purposes, and the delivery of as much content to it as possible for analysis,
people will obviously change the way they deliver e-mail. Services already
notify you of important messages and require you to login to their websites to
read them. It's not zero sum, but given its moat, Google has a lot more to
lose.

The end user's experience is frustrated here. But it's not really "thought
leadership" to come out and say, "More of whatever Google does, as long as it
doesn't interfere with its complex priorities in the reality the end user
actually inhabits."

------
liloow
While overall, your take on what makes an account valuable is an interesting
take on the subject, it looses credibility the more you read on... Starting by
the simple fact that you undermine your own point by saying that it is less of
a problem because ... You will get your stuff back ... Ok, sure you will,
...eventually. in the meantime, you could very well end up without a dime for
a couple weeks! We could go in and out about identity theft and how it can
ruin lives..

And while you are right that social media accounts are very valuable for
celebrities, companies, notorious figures and so on, for the average user , it
simply doesn't... Saying that your Social media account is more valuable than
your bank accounts is utterly absurd. And even for celebs and other public
figures, I very much doubt they would rather have had their bank account
compromised... (I.e. the very recent Bezos saga).

Besides all that, advocating that one could be less secure than another, is
nothing if not counter-productive, users should make their less secure
accounts MORE secure, and yes, shedding light on the real value those could
hold is a very meaningful and relevant way shifting behaviors towards better
security!

------
schoen
I've observed something similar about HTTPS adoption: for many years many
sysadmins and many Internet users thought HTTPS was absolutely essential to
protect credit card numbers (which are not really very secret), but not to
protect e-mail and messaging.

