2FA is neither necessary nor sufficient, and it's a tradeoff on risks. Very wrong for many users' threat models.
As a service provider of some sort, 2FA/MFA is a mitigation for many of your users not being able to make good choices.
-
-
Yes, that's the point. Get decision-making out non-technical users' hands. Train them, but don't assume 1000+ people will pay attention
-
The real challenge is to both CYA and get better default security for users who don't make choices while not adding risks for users who do.
-
Especially since the users who are thinking about these risks and tradeoffs are the ones for whom security is the most important.
-
If your threat model includes an abusive partner or parent who will confiscate your 2FA device, you need an option not to use 2FA.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.