Conventional wisdom says that simple security is an oxymoron. Good security is complex, while uncomplicated security is weak.Whenever security is discussed, I think of Bruce Schneier. The US-based security guru describes crime and prevention forcefully. What’s YOUR security profile?Much of our everyday security practices are unconscious, notes Schneier. We do them out of habit, and don’t recognize them as strategic security decisions.Authentication factors When you leave your home, you lock the door, don’t you? We all do. Reasons range from burglary to wandering pets, but it’s a security precaution. We carry a hard token (a key) that allows us to de-encrypt the security mechanism (our door-lock) when we want to enter.This is single-factor authentication. Anyone can use a copy of the key to enter your flat–the door won’t know the difference. Two-factor authentication (2FA) is often described as “something you know, plus something you have.” The best example is the online banking system mandated by the HKMA in 2005. The hard token, a small electronic device that generates a numerical code when you press a button, is the thing you have–your username/password combination is the thing you know.The e-channel’s 2FA setupAnother example: the world-class e-channel setup used by both Hong Kong and Macau Immigration departments. ID card holders possess a hard token which contains a biometric: the card-holder’s thumbprint. Presenting the token (your ID card) for scanning is the first factor–the second factor is your thumb pressed against the scanner.This isn’t a case of “something you know, plus something you have.” This is a hard token produced by the Hong Kong government–an ID card that contains your unique thumbprint as identity-authenticator. The card is produced at a dedicated facility where you present yourself for identity authentication and is a world-class identifying token, with a host of anti-counterfeiting measures.Of course, the card could be lost or stolen. But it would take an uncommon criminal to fake your thumbprint on the scanner at an Immigration checkpoint.The system is easy and convenient to use, yet it’s highly secure. The e-channel at both Hong Kong and Macau Immigration checkpoints is an exemplar of tech security deployed on a large scale to benefit ordinary citizens. It’s also a prime example of a public-sector initiative that helps drive private-sector business. Secure and streamlined passport-free travel between Hong Kong and Macau smooths transit for frequent business travelers and improves business ties.Security now for the futureThe recent massive DDoS attack against South Korean banks illustrates, yet again, the depths of intrusion possible within the cyberdrome. Our digital interconnection, it seems, leads to trench warfare on the wires. Government spokespeople spin dire tales of “cyberwarfare” and accuse nation-states of hacking, spying, DDoSing or otherwise committing digital mayhem in search of intelligence…or simply to commit evil deeds.Is there a limit to the scale of cyberintrusion? I can’t see it. But 2FA is an important component of any security strategy. Consumer services like Gmail and Apple’s iCloud now offer 2FA: the second factor being an SMS message to a previously secured mobile phone number (not necessarily available in Asia, yet). The evolution of 2FA as a simple yet effective security measure is heartening. Nothing invented by humans cannot be broken by humans, but as ever in the security world, we take our small victories and build on them. Related content news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance news GE investigates alleged data breach into confidential projects: Report General Electric has confirmed that it has started an investigation into the data breach claims made by IntelBroker. By Shweta Sharma Nov 27, 2023 3 mins Data Breach opinion A year after ChatGPT’s debut, is GenAI a boon or the bane of the CISO’s existence? You can try to keep the flood of generative AI at bay but embracing it with proper vigilance is likely the best hope to maintain control and prevent the scourge of it becoming shadow AI. By Christopher Burgess Nov 27, 2023 6 mins Generative AI Data and Information Security Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe