I Would Strongly Recommend Hardware MFAs ... But
In my small foray into the domain of cyber security I've had the opportunity to be introduced to the concept of security theater. Security theater are stuff that are done in the name of security that do not have actual impact improving the security. They are done just for the show. As always, context matters. One organization's security theater is someone else's actual priority #1 thing.
A good example of security theater are the mandatory bi-annual security trainings, which are delivered as two hour long presentations of which the audience remembers next to nothing next day. Maybe it sounds like I'm exaggerating. I'm not. Do a poll after a couple of days of such training (but don't tell you're going to poll people). I bet only the details of some random things are remembered, if that.
I say all this to direct your attention into an aspect of security that I do think that cannot be classified as security theater. In fact, it's quite the opposite. It is really effective, simple, and complete solution to a concrete problem that is happening in the real world.
The thing I'm talking about, which I gave away at the subject already, is phishing resistant hardware multi-factor authentication devices. I have a Yubikey (or two, actually). I use it simply because they eliminate the worry about getting phished as they guarantee that you are not entering your TOTP (Google Authenticator etc) code into a phishing site. They only give the second factor to the site you've configured it to. With virtual second factor apps you're not protected from elaborate phishing sites as the attacker will just collect your password and second factor code when you enter them into the phishing site. (I say 'just' but of course it's a little more complicated.)
These elaborate malicious phishing campaigns have been implemented several times in the reald world (to Twitter, Dropbox and others) and they have been successful. You are lured into opening a link to a site that looks exactly like, say, GitHub and you enter your credentials and the game is basically over.
Training people to spot phishing attempts is largely pointless (I feel). Maybe pointless is too harsh, but at least quite ineffective as a complete solution. But as long as you constantly receive legit emails that have legit links in them that you constantly click (I receive tens of such emails a day) it is practically impossible to guarantee that none of the staff fall for these genuine phishing attempts. Dropbox's conclusion after their incident was that they mandate hardware MFAs for all their developers. (Don't know if they followed through though.)
Now that we have the Ukrainian war going on, it is not all paranoid to suspect that you might be phished / attacked if you're doing something important enough to get noticed and to be considered something that could be used for propaganda or disruption. And these attacks do happen even if there wasn't the war going on.
I don't remember the exact quote, but some big NSA dude said that the reason you haven't been attacked against already isn't because you have such good defenses but that no one has been interested enough in you. Or: you have been breached already but you just don't notice it.
But the reason I put the 'but' is that with all that said, I'm not sure if mandating hardware MFAs can be feasible in a normal organization without having experienced a major security breach first. The price of hardware MFAs seems negligible compared to the costs of a developer: yubikeys are about a €50 a pop (on a corporate environment you only need one MFA per person because someone else can reset the account). There's the organizational overhead and support and training so it's not just the price of the physical thing, but I'd still put it under few hundred euros / dollars per person per year.
Yubikeys are admittedly a little clumsy too. AWS CLI and AWS Console need a hack to work with them. They are not supported by all sites though all of the major ones do support them (like Google, AWS, GitHub and others). I do like the physicality of them, it's like having another key in your keychain. It feels safer. (Hey, we do have emotions even if we are nerds!)
The other thing also is that it might be that passkeys will obliviate the need for hardware MFAs. They don't cover all the use cases, but if you can use your phone (with its Face ID etc) to serve the similar purpose and perhaps eliminate the need for passwords too, it just might be that no one will be using Yubikeys in the near future. (Practically no one does nowadays either so it wouldn't make much of a difference.)
But all in all, I still think hardware MFAs are a nicely wholesome and relavitely simple solution to a real problem that is not even theoretical anymore. I can't think of anything fundamental stopping from an organization to start using them. All the reasons I can think of are systemic and they can be dealt with. But then again, implementing anything new is always a big hassle and takes a lot of time and money.
So yeah, it seems the newsletter is back, I think? I've decided to set the bar of publishing very low, which means that I won't be doing reviews of drafts before publishing, at least for most of the posts. Those reviews have probably improved previous posts, but they have also in part caused me stop writing completely. You see, I start doubting the content of my writing and then I hesitate to even write and submit it to a draft reviewer at all and soon enough I hang on to the only available coping mechanism which is to stop doing it at all. :)
However! This does not mean that you shouldn't send feedback. You should! I got some semi-angry responses to my Drunning-Kruger rant, deservedly. I do read the and process the feedback.