But in most cases it's better to have it than not. "Not in the threat model" is now a common excuse I see not to use it
2FA is neither necessary nor sufficient, and it's a tradeoff on risks. Very wrong for many users' threat models.
-
-
-
Look at Office of Civil Rights data on healthcare breaches - there are many, many instances where MFA could have prevented the breach
-
At the same time, I know these people - "not in threat model" is #1 excuse. People "managing" risk come from finance, not infosec
-
So for *most* people, MFA is 100% the way to go. There are outliers and edge cases, but focus should be to do the most good for the most ppl
-
For *people* who are consciously choosing what to do, just not entering passwords is 100% the way to go.
-
As a service provider of some sort, 2FA/MFA is a mitigation for many of your users not being able to make good choices.
-
Yes, that's the point. Get decision-making out non-technical users' hands. Train them, but don't assume 1000+ people will pay attention
-
The real challenge is to both CYA and get better default security for users who don't make choices while not adding risks for users who do.
- 2 more replies
New conversation -
-
-
I'm thinking more about "new and different threats", not simply "not in threat model".
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.