ttj - Tom Jones

As a matter of principle, businesses should be able to authenticate their own customers. If a business provides service over the internet, they should be able to authenticate their customers over the internet. If the business is handling a lot of valuable assets and / or money on behalf of their client, then the business must be able to authenticate their customers.  There is no excuse not to be able to. Captchas are infuriating "prove you're a human" bullshit, that values the time of the "human" at zero, and presumes to put the "human" to work for free, training some machine-learning database, with the side effect of some dorks walking around claiming they "work in AI".  Captchas, at a stretch, may be acceptable as a way of filtering anonymous strangers who turned up at a web site and want to do something.  Maybe they want to post, maybe they want to create an account, maybe it's something else.  Captchas are never acceptable as an ingre...

I used to work in a team managing an authentication infrastructure.  It was based on Kerberos.  We went with the default session length of 10 hours.  The idea behind this default was: it's long enough for a work day including breaks, plus a bit.  When stuff stops working because the user has been logged out, they are free to log in again if they really want, but maybe they also appreciate the reminder, that it's time to go home. The world of web site timeouts, for online banking, or anything finance related, is different.  It's a race to the bottom.  How quickly can you kick someone off the service, and still have them sometimes to achieve the thing they logged in to do?  Because it might not be them!  So better limit the time the not-them has to do stuff.  Or maybe the them lets a not-them take over their session part way through.  So better log them out just in case. This is all the wrong approach to authentication.  Authenticatio...

The background is that I sold a few kilos of gold for CHF, and wanted it in EUR, so I used IB's forex to get it from CHF to EUR at good rates.  Simple right?  Well, it touches on the non-working financial system in several different places, so no, it's certainly not simple, it's an ordeal.  The particular section of the ordeal dealt with here is the seizure of my funds by IB.  The other major part of the ordeal so far is Sparkasse's Kafkaesque handling of giving permission for the EUR to land in their account, which is out of scope here. Like so many things, the problem comes down to authentication.   The general problem is that businesses are generally unable to authenticate their own customers, and this is a competence issue.  This is often accompanied by adhoc and incorrectly-designed processes to sort-of "authenticate" customers, outside what the customer was led to believe constitutes the normal authentication process.   The specific pro...