My Wild Security Head-Fiction15th Mar '19 • 3 of your Earth minutes
My Wild Security Head-Fiction
I’m not a security expert. I confidently believe I don’t have the kind of mind it takes to ‘always expect the worst’. I couldn’t be a threat analyst, defence strategist or CIA agent because I think you need a drastic view of the world which says something along the lines of ‘everyone is a potential threat’.
That being said, occasionally I do have thought experiments where I allow my mind to wonder/wander over security-related topics occasionally.
Sometimes these are mundane like my realisation that using the same password for everything is a bad idea: what if there were no passwords.
Other times it gets a little more Jason Bourne. Like “what if someone desperately wanted to gain access to my WhatsApp?”
Granted, why anyone would want access to one of my messaging accounts is beyond me. It’s a bit of a stretch to suggest that anyone would go to these lengths for me. But I always find that personalising these thought experiments makes them more worthwhile — if any workable solutions came out of it, I’d probably be the first person to benefit by it. (Dog-fooding. Also the only real thing I was moved by in the film Joy.)
Anyway, back to the point. WhatsApp. More specifically, WhatsApp Web. It still has that weird 2-factor auth thing going on; they generate an auto-refreshing QR code to enable login.
This is actually quite cool. I don’t need a username and password. There’s no signup flow especially as the service is aimed only at existing users not as a way to on-board new users.
I don’t need an app I don’t already have and the whole login process happens quickly and fairly silently between my phone and my computer as if by magic. It’s actually quite beautiful.
The main benefit of this is that someone can’t guess my WhatsApp username/password combo and login to my WhatsApp account and see all of my conversation history, blah-de-blah. So it has the feelings of being secure.
Now, I’m not going to pick apart the other elements involved in making this secure, because that’s not where my thought experiment led me. Perhaps another time.
For now, I lingered on the possibility that someone would try to gain access to my phone and use it to sign in to WhatsApp Web, for whatever peculiar reason. Maybe they prefer the browser experience, or maybe they have that myopic, maniacal, world-dominating twist on their eyesight which only a Chrome Extension was able to correct.
I use an iPhone 8 currently and – like a good safety-conscious individual – I have a security code lock. I’ve also set up TouchID.
So what if this imaginary diabolical antagonist (or state actor) wanted access to my iPhone? Well he/she could torture me to try and get my passcode. Or they could restrain me and find which finger to use to unlock my phone. Easy!
(For those unfamiliar with TouchID, you can set it up to use multiple fingers and thumbs to unlock your phone, which is handy.)
But what if you could set one of those to be a dead man’s switch?
So let’s say you use your ring finger on your left hand for the complete opposite effect of TouchID; instead of unlocking the device, it actually wipes it. Similar to the setting that can wipe the device after a number of failed passcode attempts.
The beauty of this is that it would actually look like you’re going to unlock the phone, but then you just hold it there for a few extra seconds and BAM 💥 all gone.
Assuming I would be held against my will, with the threat of death looming over a lack of cooperation, I would surely perish. But on the plus side, now I’m not concerned about someone taking my finger off just to get into my WhatsApp convos.
Just a thought anyway.