The Tyranny of Security

blog April 29, 2026 2 Minutes

My wife is currently away, leaving me in charge of our domestic administration. I admit that I do enjoy the power trip. She asked me last night if I could pay an invoice, “the email should have details.”

It sounded easy enough. It’s not like she was asking me to assemble an Ikea wardrobe. In hindsight, I would have taken the wardrobe. I would have taken ten wardrobes.

I located the email easily enough. Step one complete. However, the invoice was not actually there. It was merely pointing me toward a different website entirely. I clicked. I entered the credentials. Nothing. The website stared back at me.

“Are you quite sure these credentials are correct?”

“Oh, that happens constantly,” came the reply. “It refuses to load in Safari. You have to use Chrome.”

I switched to Chrome. I logged in. I found the download button. Success? Not quite. The downloaded file demanded a PIN. By the time I secured the PIN I felt like I was auditioning for a low-budget reboot of Mission Impossible.

Then came the payment portal. “It’s sent a code to your email,” the screen informed me. I waited. And waited.

“Me again. Where is the login code?”

“Check the spam folder,” she replied. “It always ends up there.”

I retrieved the code from the digital gutter, navigated through seven distinct screens of administrative purgatory, and signed a solemn declaration asserting that I was not acting under duress and was not, to the best of my knowledge, a front for a global money-laundering syndicate.

I was at the finish line. Or so I thought. The final gatekeeper appeared: “Please enter the code from your authenticator app.”

“Which one?” I asked the void.

“I don’t know,” my wife admitted via text. “How many do you have?”

“Six, potentially. Three are probably obsolete. So, let’s say three.”

This is the state of our industry. I am not arguing against MFA or other security controls. What I am questioning is the absolute absence of empathy that goes into their implementation.

Every vendor on the planet decided they needed their own proprietary authenticator. Every platform chose a different flavour of friction. Some want six-digit codes. Some want haptic push notifications. Some seemingly want you to perform a ritual sacrifice under a blood moon while reciting your grandmother’s maiden name in Aramaic.

It is a paradox. We tell people to be vigilant against phishing, which remains the primary way criminals exploit us, yet we make the legitimate path so arduous that people will eventually look for a shortcut.

Which is how I found myself, well past midnight, clutching a smartphone in one hand and a laptop in the other, waiting for a magical string of numbers to appear. I was a man caught in a web of my own industry’s making, wondering if the goat was strictly necessary.

Do you think your employees are actually following your security policies, or are they just finding clever ways to bypass the friction you’ve built?