>It is security theater of the worst degree by incompetents and MBAs and I am getting sick of it.
It's security theater giving people exactly what they want. People want to feel secure, but they don't want any amount of actual difficulty in getting what they want from Company A.
Like it or lump it, but regular people really don't want actual security. They want the ease and convenience of no passwords at all, and want someone to blame in case something goes wrong.
>They want the ease and convenience of no passwords at all,
That's not what I see. I see people looking for inconvenience. Expiring passwords. Password requirements, so you have to write your passwords down. (You will change it soon, anyway) "Security" questions. Lock-Screens, session limits. 2FA-SMS. That horrible and unsecure Microsoft 2FA that was on the frontpage yesterday. IP-Geo-location-voodo so you can't log in from a different ISP/cellular/your parents place on this supposedly world wide internet. It's not like these things happen on their own.
Computer illiterate people thing that these inconveniences bring them security.
Of course people want security, how can you say otherwise? What you seem to be talking around is that security researchers have been unable to figure out simpler forms of maintaining a true sense of security, simpler forms of reliability. There is no survey where people say they don't want these things, and if you're relying on the sales figures for Yubi keys or something, that's not a good indicator.
And of course people don't want difficulty! That's why we don't hand-crank to start our cars anymore. Blaming people for wanting faster horses[1] is a convoluted anti-intellectualism where the experts who actually know what's possible are let off the hook. All in all, if you ask me this should be a locus of UI/UX research.
You're absolutely right. People do unquestionably want security! They want privacy too!
The issue that the parent is alluding to is that the same users who want these things seem unwilling to make decisions or change behavior to get that security or privacy. Those of us working with security and privacy often wind up with the sense that users want them, but also that users expect them to be automatic and perfect and free. This starts with the computer-illiterate user who finds passwords confusing and goes all the way to developers who find it irritating to be forced to update the libs in their docker images.
Are there better ways? I sure hope so. So far we don't have simpler forms of maintaining true security or simpler forms of reliability. We just have cheaper ways of maintaining a sense of security - and that's theater.
I don't blame people for wanting faster horses. We don't have them on offer though, so in the meantime it might be nice if they were willing to consider what's available.
It's security theater giving people exactly what they want. People want to feel secure, but they don't want any amount of actual difficulty in getting what they want from Company A.
Like it or lump it, but regular people really don't want actual security. They want the ease and convenience of no passwords at all, and want someone to blame in case something goes wrong.