Comment by closeparen 10 months ago
Shared secrets are criminally negligent security architecture in 2024. We can authenticate identity and authorize payment without giving the relying party a token to leak or abuse. The energy behind this problem is good, but "everyone try harder to protect the shared secrets entrusted to you" would be a tragic waste of it.
The problem here is the payments industry (continuing to issue and accept "credit card numbers") and the voters (refusing to authorize a proper national ID). An individual entity that has to conduct business under these circumstances has no real alternative.
You are not being harmed by the storage or leakage of a few bytes, that's ridiculous. You are being harmed by the financial industry and government's insistence that knowledge of these bytes is sufficient to take your property or hold a debt against you.
> [...] would be a tragic waste of it.
The first time would have been a tragedy, from then on it has been farce after farce.
Imagine a world where companies would have to prove the necessity of storing specific factoids. It would only take 1 security researcher to prove it being unnecessary, invalidating that class of "legitimate interests".
Today this value judgement happens in human brains, like the (correct) judgement in your comment. If we want to scale it objectively we would have to switch to formal verification. A whole industry of compliance checking could come to exist where a company wants to get its operations screened for compliance issues, so as not to suffer criminal negligence penalties.