> Based on the comments I see here, I think the focus is going on the turnstiles just as it did when I worked there.

You titled the piece after the turnstiles and spent the overwhelming majority of the post talking about them (and surrounding physical features). The Jira ticket felt secondary, and when it was introduced in the middle of the post I was genuinely confused, thinking why the heck the card system was contacting Jira.

People reading your writing are going to focus on whatever you did when you wrote it. The turnstiles read like the important part.

I care a lot more about my life (or my car's catalytic converter, which was stolen off my car in my work parking lot before they inatalled a gate for the lot) than any of my work-related IT credentials. Health and safety threats are a much bigger deal to people than nebulous, difficult to exploit threats to IP.

You're right, but the consequences of different security failure are different, no?

Perhaps part of the problem is that an active shooter is easy to visualize and understand whereas unsecured credentials stored in cookies are an abstract and difficult to visualize problem for management.

Furthermore, turnstiles are easy to promote and take credit for. Secure web authentication would have to be explained to and understood by the boss's boss before credit for it could be claimed.

I suspect it's these aspects of organizational reality that results in security theater.

I don't think you could take over the company with a jira token. Another factor for consideration with turnstiles is disability access and fire egress. Those are covered by building code but since this is a parable, it's worth noting that physical security has often caused tragic stampedes that have killed many.

The majority of commenters don't actually read the article, or at least not the whole thing.

I was disappointed by the lack of photo of the single turnstile.