Security or Simplicity, pick one

August 12, 2025

Security or Simplicity, pick one

As Daniel Huang has bloggedª many services, in a desire to simplify the experience for the users, have gone the route of sending a login code to an email address you enter.

While this may seem convenient to you and your customer, it is probably even more insecure than sending so-called MFA (Multi-Factor Authentication) codes via sms. Which bizarrely, despite years of evidence that it's an insecure way of sending MFA codes, many financial institutions in Australia have just begun to introduce in 2025, even despite CISA guidance not to use this method:

Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them.

To be clear, neither of these solutions to your problem are secure, no matter how compliant you think they make you with your internal or external security and privacy requirements.

One wonders how ideas like this pass muster with your security team. Oh.

ª: Via Justin Warren's excellent The Crux newsletter.º º: Note that despite supporting Markdown, write.as doesn't appear to do Markdown footnotes.