I asked him, the chief technology officer of a private equity firm that manages hundreds of billions of dollars, about his job. About the people he hires, Slack’s success, working with such sensitive data. At the end of our conversation, an admission: “I haven’t turned on the Gmail two-factor authentication,” he said. That’s the feature in which you sign into your Gmail or Apple or Dropbox account from a new device and have to enter a code that Google or Apple or Dropbox sends to your phone. “I should. I know I should. It’s just. Ugh.”
Of all people, an industry-top CTO should be motivated to put up with the annoying bits. But like all of us who’ve had to deal with Your Username and/or Password Is Incorrect, he’s frustrated by how inconvenient it can be to use these tools of convenience. The time since we spoke has been filled with headlines about Facebook data breaches and hackers stealing Instagram and Snapchat accounts from people with desirable usernames, usually resulting in more articles from people like me advocating spending on a password-management app or using two- factor authentication. But the more I, too, try to practice my own advice, I realize that those are unrealistic expectations. So let’s relax those expectations, at least until better solutions arrive.
First, the bad news: Passwords aren’t going away. Facial recognition and fingerprint readers make verification faster and easier, but biometrics will remain shortcuts for the basic foundation of numbers and letters we use to convince apps and devices that you are really you. The two-factor authentication the CTO mentioned adds a security layer on top of a name and password. Recently, though, criminals have been using techniques to manipulate wireless carriers’ customer support services to hijack a victim’s phone number, gaining access to those codes and loads more information. Those headline data breaches can give criminals a social security number or home address needed to trick the person at the carrier’s call center into thinking that the person calling is who they say they are.
And so, every time a source tells me about some new hacking technique, I’ll write a post about why we shouldn’t give out our phone numbers. Then, I get briefly motivated to clean up my web identity. I go through my 1Password app, update the accounts where I’ve used the same password, and delete my identity for places that I no longer use, usually through a multistep process ending in emailing customer service. It’s a drag, and I’m far from finished. It’s my job it is to do these kinds of experiments, but having to change, then reenter, a new, long Prime Video password on my TV, phone, and laptop is a pain even when I’m on the clock. And we expect the same from the average connected civilian to do this after a full day at work? For all the apps and devices we’ve had to activate over the years? All those vulnerabilities? Please.
Here’s the advice I follow: List the half-dozen or so accounts that, if you lost them, would really ruin your day. For me, that’s Amazon, Apple, Google, and my banks. I’d extend that to social media accounts, too. Come up with passwords that are sentences, not single words. Push through the confirmation emails and update them. Writing them in a notebook to keep in your desk drawer is fine. Be stingy with your phone number. Think hard before signing up for any account. When you get email from a service you haven’t touched in years, delete your account right there, on the spot.
We can’t expect tech companies to behave with much accountability, and thieves will always exist. That sounds grim, but it’s improving. And as we get closer to a more secure digital future, I’m going to relax my grip and try to enjoy the benefits of connectivity as best I can.
Originally posted on Popular Mechanics