I'm throwing this idea out there without much critical thought, not as an endorsement, but to hash it out publicly: one account per physical 2fa token?
-
-
I think the biggest downside is carrying the tokens and remembering which one totes to which account... Limiting the blast radius from vendor break seems to be the main security advantage, but how many vendors are there?
-
Like, AWS has theirs, YubiKey works with Google and GitHub, are there others?
-
In theory we could have one device handle keys for many services. E.g. my phone's authenticator app.
-
Sure, but then it's not one token per account :)
-
virtual token :P
End of conversation
New conversation -
-
-
For sure “verified” accounts should be forced to use U2F.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.