I'm not trying to say that regulations can't and never work, just that most of the time they don't because they're extremely hard to get right. They suffer from the same problems as law - it's extremely difficult to codify intent. Couple that with the fact that lawmakers usually have very little awareness of technical details. Say for example they do in fact mandate 2FA for all banks. But then all banks rush out various implementations to meet the requirements. Some provide SMS-based solutions which have known security risks, some provide codes that don't lock out, some do everything right but now people who can't get a 2FA app (those who don't have smartphones for example) can't access online banking any more. There are accessibility concerns. In the meantime, the security industry has finally cracked federated identity, but banks can't offer it because all access has to be through their 2FA solution.
Obviously that's a fairly bad-case (though not worst-case) example of how things could play out, but I think it serves to prove my point that "just force them to do X" is not always a sound approach. Well-designed regulation using sufficient consultation with experts (actual experts rather than snake-oil consultancies) and with a view to the future and how the state of the art might change can be effective (though still not flexible enough to accommodate exceptional circumstances) but that's the exception rather than the rule.
> Say for example they do in fact mandate 2FA for all banks. But then all banks rush out various implementations to meet the requirements. Some provide SMS-based solutions which have known security risks, some provide codes that don't lock out, some do everything right but now people who can't get a 2FA app (those who don't have smartphones for example) can't access online banking any more. There are accessibility concerns.
I'm not qualified to speak on this subject, but these are excellent points. Could you expand on any other implementations that sound like a great idea on the surface, but would have limitations? It sounds like accessibility is just one of many concerns. I'm itching to hear more.
those are just off the top of my head, and I'm not an expert on 2FA either. If we're talking about alternative solutions to someone logging in as someone else, you still have to provide a "2FA" solution because "2-factor" is a description of the problem to be solved (the multi-factor authentication problem) - to prove who you are in high-security situations it's insufficient to just provide something you know i.e. a password, because someone else can learn that thing. Thus you must provide "something you have" ie. proving you possess your phone via 2FA apps, or "something you are" via biometrics a la faceID. There are alternative solutions to this like USB 2FA tokens or those little pin-pads that banks provide you that are already required by most banks in order for you to access your account. Other options are proving email ownership via access links like slack does, automated phone calls, probably some other venues. But the fundamental requirement to boost password security is to provide a non-knowledge-based proof of identity.
How to regulate this is up to each and every country, just like it is up to each country how to regulate things like pollution, traffic and infrastructure.
That a bank who can't handle security compromises their customers user experience rather than their customers security is a good thing.
The reason the regulate these things aren't because it is fun. It is because there are fundamental security problems that needs to and will eventually be fixed. Companies like Apple have largely already, or at least potentially, fixed these problem just only for themselves. If you want to fix it for everyone you very likely need some sort of mandate.
> That a bank who can't handle security compromises their customers user experience rather than their customers security is a good thing.
Why do you say that? It's only true if the cost of breach of security is actually taken by the customer. The alternative is that banks are required to rebate customers for fraud caused by poor bank security, which makes sense to me because it provides financial pressure for banks to beef up security while at the same time leaving in the flexibility to define how that security is improved. It's "here's the problem you need to solve" via financial pressure, not "here's the solution you need to implement" via mandate.
Obviously that's a fairly bad-case (though not worst-case) example of how things could play out, but I think it serves to prove my point that "just force them to do X" is not always a sound approach. Well-designed regulation using sufficient consultation with experts (actual experts rather than snake-oil consultancies) and with a view to the future and how the state of the art might change can be effective (though still not flexible enough to accommodate exceptional circumstances) but that's the exception rather than the rule.