Or maybe n accounts for some small n. This would eliminate the "name === identity" problem, enhance security, and make bots significantly less scalable.
-
-
Show this thread
-
But! I understand it may have some drawbacks. Cost, convenience...
Show this thread
End of conversation
New conversation -
-
-
I think U2F’s primary threat model is hijacking of existing trust delegations. Creation of new ones at scale? Just write u2f-servd and connect it to an instrumented Firefox/chrome.
-
I'm less interested in this aspect than in the bot reduction benefit. *most* people are *already* working in highly insecure spaces such that such concerns aren't really material atm.
End of conversation
New conversation -
-
-
might be too many collisions (only 6-8 numbers for millions of possible accounts) and query would be very slow given values change every thirty seconds
-
This is not presently a barrier for 2fa-enabled apps where enabling it is an option, not a requirement.
-
It's not, but restricting to n accounts per 2fa changes the question from "does this 2fa match this one account" to "which accounts does this 2fa match"
-
which isn't really done in any implementations now
End of conversation
New conversation -
-
-
U2F devices are already supposed to generate a distinct key-pair for each account, to make it harder for services to tell which accounts use the same physical key. Details vary by model and maker; here's Yubico's approach --https://www.yubico.com/2014/11/yubicos-u2f-key-wrapping/ …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I have a single phone, and one Apple ID for each country I've lived in, by force (not saying anything abt other IDs).
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
What’s the downside of a simple pay subscription model? Everyone pays $1/month, which would allow twitter to limit the number of accounts linked to a single payment source. Not perfect but seems easy to implement and has the benefit of being a revenue stream.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
physical tokens generally have the disadvantage of needing to get to the account holder. For high-value targets where you can verify the holder in person, that may be okay, but the mail is really not a secure transmission scheme.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.