2FA is neither necessary nor sufficient, and it's a tradeoff on risks. Very wrong for many users' threat models.
-
-
But in most cases it's better to have it than not. "Not in the threat model" is now a common excuse I see not to use it
2 replies 0 retweets 0 likes -
Replying to @disablemacros @RichFelker and
Look at Office of Civil Rights data on healthcare breaches - there are many, many instances where MFA could have prevented the breach
1 reply 0 retweets 0 likes -
Replying to @disablemacros @RichFelker and
At the same time, I know these people - "not in threat model" is #1 excuse. People "managing" risk come from finance, not infosec
1 reply 0 retweets 0 likes -
Replying to @disablemacros @RichFelker and
So for *most* people, MFA is 100% the way to go. There are outliers and edge cases, but focus should be to do the most good for the most ppl
1 reply 0 retweets 0 likes -
For *people* who are consciously choosing what to do, just not entering passwords is 100% the way to go.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @disablemacros and
As a service provider of some sort, 2FA/MFA is a mitigation for many of your users not being able to make good choices.
1 reply 0 retweets 0 likes -
Yes, that's the point. Get decision-making out non-technical users' hands. Train them, but don't assume 1000+ people will pay attention
1 reply 0 retweets 0 likes -
The real challenge is to both CYA and get better default security for users who don't make choices while not adding risks for users who do.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @disablemacros and
Especially since the users who are thinking about these risks and tradeoffs are the ones for whom security is the most important.
1 reply 0 retweets 0 likes
If your threat model includes an abusive partner or parent who will confiscate your 2FA device, you need an option not to use 2FA.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.