After 2 years my Pixel 2 XL took a bit of a spill the other day. Its still fine, but the glass is cracked. I’m hoping to find someone who can change just the glass… but… I bought a Pixel 4 XL. The saddest part about this is I was literally just thinking I would skip this gen, I love the Pixel 2 XL. Its such a great phone, such great battery life etc. O well.

New phone arrived last week but I was out and about, so I got the time to migrate over on Monday. And, of course, the migration was trivial… took about 5 minutes, all was good, shortcuts, etc. BUT… you have to manually migrate all the 2-Factor authentications. 63 sites. And each is different… you log in to the site (using the Pixel 2), find the settings, disable/change/remove/update the 2FA, and then re-enable it on the Pixel 4. That took *ages*.

Since this was obviously going to take a while, I thought… there must be a better way. I mean, TOTP is a standard, implemented in more than one app. I settled on Authy (also on iOS). It has the ability to operate on multiple devices and to sync/store. So this means it should be the last time.

And, of the multiple devices, Chrome is one. So you can install it for ChromeOS. Great!

So the theory is… I can now switch phones again if needed.

When I started my company, I registered Github, Linkedin, Twitter, Gitlab, … all the usual suspects. I did this to avoid some unfortunate future situation where I was locked out of a channel I needed.

But some of the sites are algorithmic or achievement-unlocking in order to get a custom URL. One example is YouTube. Our current Agilicus YouTube channel has a URL like this Its very catchy I know. But I cannot change it until I get more subscribers. Its like some sort of YouTube ghetto. Since we don’t place ads, its not about monetisation. Instead its about Search Engine Optimisation. For your own web site, make sure you have your own domain (naturally a .CA domain). But for the other web properties, short pronounceable URL matter.

And, believe it or not, it’s LinkedIn followers (our LinkedIn) and YouTube followers that seem to matter as far as reach. I despair of getting to the YouTube threshold soon, but, well, if you are reading this, and feeling charitable, subscribe! And if you are feeling super charitable, get a friend to do so too.

In 2014 the Globe and Mail wrote an article called “Why Canada‚Äôs banks have weaker passwords than Twitter or Google”. In 2018 I also wrote about this. I opened a support ticket for my bank complaining about this, their response was that “your password plus personal verification question is 2-factor”. E.g. you have 2 passwords, shut up and like it.

Its 2019. I have multi-factor authentication on nearly everything. Except the thing criminals care most about: money. I can prevent the crooks from posting as me on Reddit, from accepting a Pull Request on GitHub. But my finances? Forget about it.

The web is littered with people asking, and complaining, and getting nowhere. The banks obfuscate and dissemble when asked, pointing to other “security” initiatives like the questions. In some cases they SMS you for a transfer. But this is after you are logged in. (and its SMS).

What we want is TOTP. It works with Google Authenticator, Microsoft Authenticator, other apps. Its strong. Its simple. Its ubiqitous (except in the banking sector for clients). (Even better if was a U2F like Yubikey, but, well, I dream!).

Why am I ranting about this today? Well let me tell you. I bank with Royal Bank of Canada (RBC). In order to transfer more than 5K on my business account I need a SecureID fob. OK, its not TOTP, but better than nothing, it works, its secure. To make it as hard as possible for people to do this they charge you $50 for it. OK, fine, I paid. Then they can only ship it to your branch. OK, fine, I’ll go the branch. Monday I get the note. I go, they have no idea. I’m in a hurry, I finish doing the transaction that I wanted the SecureID for anyway (manually, paper, cheque, you know, like your great-grandparents did). I come back today to pick up the SecureID fob that *they emailed me was ready*. Nobody knows what it is, where it is. After 1/2 hour of hunting, I’m asked again, “is this a set of cheques?” “is this a passbook?” Finally I point to their own personal keychain, they have one. “Its that thing”. Oh, that is just for us, not for customers.

Its clear that if no one in a branch has heard of it, that the level of cybersecurity awareness is not very high. On day 1 I train all my staff about the merits of 2FA (or MFA). On their GitHub, their twitter, their Gmail, etc. Why can I afford to do this as a small business and RBC cannot?

After nearly 1 hour I’m asked to come back another time when a different set of staff are in. I bike home in the fridgid rain and write this missive to you.

So here’s my suggestion. Let’s do something about this. Are you a reporter? Great, do a story, I’ll talk with you. Are you a customer of a bank? Ask your teller, your branch manager, on the online support, wherever. We demand better. Yes I know you have a lot of complex IT systems. Yes I know its tough to explain how this works to consumers. You know what else is expensive? Losing my money. I know you’ve each and all been hacked. I know you treated this like some sort of actuarial problem cost/benefit. Ford did that with the Pinto, and people died. Put down your calculator, pick up your keyboard, Google “TOTP” and “OpenID Connect” and maybe U2F. I would prefer to login in with OIDC from my Google account: I believe it is much more secure than you and your AS/400 backend with a sticky note on the console saying the admin password is “i manage”.

Get on that list or get out.