Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is there a difference between user and server security?
1 point by Berniek on Feb 12, 2023 | hide | past | favorite
Do developers/programmers understand there is a difference between user security and server/infrastructure security? I will use the term security rather than security/privacy for an easy read but with a little thought you should realize they are almost the same thing just called by different names.

A quick illustration of the point of the question I try to logon to a website that uses 2FA. But this website has a facility to reset my password (Forgot Password?). It uses the same 2FA mechanism to reset my password. So we no longer have 2FA. (I don't need a password, i just hit the Forgot Password) The security of 2FA relies on "something you know (password) & Something you have (phone etc). So from the programmer developer point of view all good much more secure. But from the user point of view just the opposite. How so? The majority of users these days will be using a phone or tablet NOT 2 separate devices like most developers/programmers. That means the something you know and something you have are the same thing. The website is relying on the fact that the device is physically secured by the user and hopefully software protected as well (fingerprint, face recognition password or pin). The security of the website is now squarely on the device AND ITS OPERATING SYSTEM. The responsibility for security of the website is now in the hands of the user But wait there is more. I will be a very smart programmer and institute a unique encrypted token so after initial login creation, the token will be stored on the device and only that device can login and doesn't need a password or 2FA I used 2FA to set up this token. The user now has even more responsibility for his device. I repeat the security of the website is now squarely on the device AND ITS OPERATING SYSTEM.

So why is this question important? Delve into Zero Trust Authentication & W3C security and think of the implications for privacy. Are both these initiatives a way for big tech to circumvent privacy laws? Now ask the question can big tech be trusted with security privacy if it interferes with their monetizing of user data (advertising analytics)?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: