Online voting, security codes & verification

So, the first thing to realise with this post is that I am an infosec amateur, and not always sure if something is an actual issue or just me misunderstanding the context or reasoning behind a particular security solution. Therefore, this may be a rambling selection of words with no point.

There's a company called Electoral Reform Services Ltd. They apparently have "over 100 years of experience in administering elections and ballots" and run elections for all sorts of things such as political party leadership elections, board member elections for organisations, etc. Recently, due to the fact that I help to run shows at the Edinburgh Fringe Festival, I received a ballot paper for the elections for the Fringe Society board. I was a bit surprised at the methods being used for verification and wanted to offer it up for discussion.

So, after registering as a member of the Fringe Society and paying your £10 you later receive an email. The email contains some explanatory information, a link to the online site where the voting will be carried out (created and maintained by ERS) and some security codes:

View post on imgur.com


Both of the security codes are sent in the same email, and this seems odd to me. If the idea is to try and use multiple credentials to prove that you're who you say you are, then it seems like this isn't the best way of doing that. Two codes, yes, but sent via the exact same method. AND in the same email, not even split up over two. It's less 2FA and more 1.5FA.

It has been pointed out to me that these codes are maybe less for verification and more for identification... and you ARE logging in to the site with an email address and password anyway. Why call them security codes then? That could give the wrong impression to the user.

If every ERS election is run like this, and it's not really the best method for identification or verification, then that seems pretty silly or important to highlight. Am I just going mad or is this genuinely an issue? I tried to tweet both ERS and the main Edinburgh Fringe organisation for their thoughts and input, but answer came there none...

Comments