Consumer tech companies are terrible at user security

It should have been the easiest of transactions. I wanted to play old-school Doom on my Switch. So, a quick look at online reviews suggested Doom 64 was the version to grab. And, sitting on my smartphone, I could see this would cost less than $8 – cheaper than coffee and a muffin at the local café when we didn’t see such things as a special treat in the days before COVID.

So, I tapped into the Nintendo eShop (side note: why the ‘e’ – haven’t we moved on from making online stores seem special?) and had to enter my password. And this is where the fun begins. I couldn’t remember my password. And the password reset process requires using a “proper” computing device. I jumped onto my computer, went to the Nintendo online store and signed in with my Nintendo account. I needed to reset the password so I did that, using a password generation tool because complex passwords tend to be harder for bad guys to break and password re-use is a good way to help bad guys break into your accounts – something I learned the hard way.

A few months ago, my Netflix account was hacked by someone in Indonesia. They used an email address/password combination that was stolen in one of the hundreds of credential thefts that happen each week. And I made the mistake of not paying enough attention to a warning I received from Spycloud, a service that monitors when stolen credentials are used. That all worked out fine at Netflix has a simple process for restoring control of your account and returning everything to you.

The problem with the Nintendo thing is that once I changed my password, I needed to enter it on my Switch. Given it was a complex, randomised password that was a bit of a pain. And if I want to buy another game in future, I either have to fish the password out of my password manager and manually tap it in on the Switch, or I have to check the “never ask for a password again” box have hope the Switch is never lost or stolen.

Given Nintendo’s online store was hacked just this year with over 300,000 user accounts impacted, you can forgive me for coming at this with a low level of trust.

The problem is that the Nintendo authentication system is designed so that users are encouraged to either re-use passwords they can easily remember or use weak passwords that are easy to enter with the onscreen keyboard. Nintendo is not alone here. 

Relatively few online services have improved their authentication services to keep pace with the security challenges of the 21st century. Almost every major breach we’ve see starts with the compromising of an endpoint. And the easiest way for a hacker to access an endpoint is to simply walk in the front door with a stolen set of credentials. Everyone working in the infosec business knows this. It’s why companies like Okta, Duo Security, Daltrey and others have focused on supporting businesses by creating stronger systems for proving the identity of users through multi-factor authentication and biometrics.

Yet, consumer technology businesses, even fabulously successful ones like Nintendo, are letting us down. They are making weak security easier than good security. Why doesn’t Nintendo enforce two-factor authentication? I get that many of the owners of these devices are children and may not have a smartphone that lets them use a one-time code generator or receive a code via text message. But surely the need to protect the user accounts of children, as well as adults, trumps the need for simplicity. 

I find it incredible that a company that can create a market-leading platform can’t get this fundamental building block right. Consumers deserve better and the platform designers should aspire to protect users with more than a token effort.