Monthly Archives: April 2016

Inflexible Security (MailChimp fail)

Maybe I shouldn’t have written about flexible security, because I immediately starting hitting inflexible security, locking me out.

Today’s fail is courtesy of MailChimp.com, which I use for my newsletters. It’s OK that they decided they want a confirmation when I log on to my account from India, but it is not OK that they require a text message passcode with no other option.

Screen Shot 2016-04-08 at 18.26.33I have my phone in flight mode, because I don’t want to pay extortionate India roaming charges. But the Millennials in Atlanta running MailChimp have decided that everybody always have their phone on. We don’t, and they don’t know their users.

Do you know your users? Are you offering appropriate security options?

Too Much Security

My customer just had to wait four hours for me to help them with an urgent issue, because they had not implemented flexible security as I wrote about recently.

Like many others, they are using two-factor authentication, which is good. Unfortunately, like many others, they depend on a text message as the second factor. Text messages are known to be unreliable and liable to be lost or delayed, but their IT department did not offer any flexibility: Without your passcode, you are locked out.

I did eventually get eight expired passcodes in a row. Fortunately, I did not have to revive a dead production database, and they survived the delay. But if you are depending on text messages to allow your system administrators to access your system remotely, do think about whether you need some alternative security option.