A couple of weeks ago, I posted three posts about security and back doors. My point was that in computer systems, secret back doors are useful to certain people but inherently weaken the overall security of the system.
Well, just yesterday, I drove down to the bank to deposit a check. I got to the parking lot and pulled the check out of my jacket and signed it. I got out of my car, locked the door (by pressing the button on the side of the door) and went and deposited it. When I got back, I couldn’t find my keys. Sure enough, I had placed them on the seat next to me when I took them out of the ignition. I do that sometimes; normally, I take my keys with me immediately when I get out of the car but if I don’t do it right away, that breaks my routine and bad things can happen.
At that point, I really wished I had a back door to get into my car. But alas, I did not. Now, I know that I could have a secret key (literally) planted on my car somewhere in a magnetic box and that most people wouldn’t even think to look there. That’s security by obscurity. I could also have a secret remote unlocker planted on my car. That way I could unlock the car but it still wouldn’t start because my car has an electronic immobilizer so that it won’t start without the key. That would solve the problem of somebody getting a hold of the remote unlock but they wouldn’t be able to take the vehicle.
So how does this relate to computer systems? Well, maybe a secret key that unlocks everything is a bad idea, but what about a key that unlocks access to authorized personnel? Now before you get all snarky and say "We already have those, they’re called passwords" what happens if you forget the password (analogous to me locking myself out)?
I’m not a security expert but I’m sure that functionality like what I describe probably exists one way or another. I guess they have the things like "answer these questions and you can reset your password." That’s security by obscurity as well. Not great, but better than staying locked out of your account.