On Wed, Aug 28, 2024 at 12:03:01PM -0700, Brandon Long wrote:
> > Welcome to two-factor denial of service. I try to resist signing up for
> > such baked-in disasters as much as I can, but the powers that be (hello
> > GitHub) have made it impossible in many cases.
> >
> > It is a sad state of affairs that no opt-out is available for users who
> > manage strong per-site passwords, and prize long-term availability over
> > often dubious security advantages of said 2nd-factors.
>
> For one, having your account hijacked doesn't just affect your
> account, such accounts are used for various nefarious purposes,
> including fraud and spam. So, you can't just say "I don't care if my
> account is hijacked".
That's very much NOT what I am saying. Rather, I'm saying that my
passwords are:
- Strong, randomly generated
- Well managed, with no reuse across accounts
- Backed up encrypted
- Are not tied to particular "devices" or authentication "apps" that
may not last multiple decades.
I care to keep my account indefinitely, and current second factors don't
in my view clearly possess demonstrate the requisite longevity.
> On top of that, if you make such an opt-out available, the people
> using it are not going to be the people who have a level of know-how
> to even come close to being safe.
That's precisely the power imbalance of market concentration. When you
have hundreds of millions of "users", no one of them is sufficiently
important.
> I'd also say that maybe the folks who might have that level of opsec
> are actually more paranoid about using 2FA.
You're hearing from a counter-example.
--
Viktor.
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
