My employer strives to maintain a pretty high level of IT security. Our issued computing devices have encryption at rest and two factor sign in. The network in our offices pipe everything through a VPN to corporate and we're not to connect the laptops to public network excepting that we enable the VPN which requires two-factor sign-in. Accessing corporate mail through the web interface requires two factor identification. And so on.
It's probably not perfect,1 but there are clearly some professionals thinking hard about this issue back at the big office, which is reassuring.2
They've recently added the on-line time reporting system to the two-factor menagerie.3
But here's the thing: when I sign into the OS on my laptop, the VPN, and the webmail, I enter the code off the two-factor fob first and my password second. This new system is doing it the other way 'round. I don't consider myself expert enough on these issues to have an opinion about which way is better, but I'm pretty sure that doing it both ways can't be right.
1 As a working postulate I think "It's never going to be perfect" is a good way to understand IT security.
2 Actually, the bit where I don't have root on my development machine is pretty &^%$ annoying. But IT isn't being unreasonable for it's own sake on this: I can have root on a virtual machine and develop there as long as the virtual machine is behind the firewall on the "real" one.
3 And a good time, too. It's been getting a lot more access from outside the office lately.
No comments:
Post a Comment