Creating a security feature is 1000x easier than turning on a security feature. Ask me how I know. Optional security nearly always means low volume. Evangelism doesn’t usually escape the tech people “bubble”
In our Infosec circle we hear people talk about multi-factor authentication as if it's obvious but the reality is very different. Twitter released their numbers -- only *2.3%* of Twitter users had any MFA method enabled during this reporting period.
Some security people have this terrible Darwinian attitude towards user’s security “if they don’t turn on security feature x, that’s on them” nonononononononono we are supposed to make this transparent, at worst easy - for everyone.
@dwizzzleMSFT
Agree. However sometimes I see that the security feature’s security aspect degrades experience. I would add a corollary that security feature must meet the bar to harden invisibly unless the friction added is by design & would not impact adoption
@dwizzzleMSFT
You know also, like, if somebody takes over my Twitter account it’s *embarrassing*, but I’m not permanently owned like if they take over my primary email
@dwizzzleMSFT
"Creating a security feature is 1000x easier than turning on a security feature. "
i totally believe you... but how about you get started some project that collect all enable/disable buttons into one app that also can show the current state of the features?IT SHOULDNT BE SO HARD
@dwizzzleMSFT
I am 1 for 2 for getting locked out of my personal Github account because I turned on 2FA to mollify a company I was working with and lost my phone and backup codes simultaneously.
Availability is a significant concern for me turning on 2FA.
@dwizzzleMSFT
Yo I respect that.
However, some security features have low yield but very high barriers. There are some diminishing returns at play.
2FA will provide much better protection than a default HVCI config. Both demand much of the user, but HVCI provides little value in itself.