I often hear the argument "we shouldn't call bad solutions bad, or people might not use the bad solution", but I strongly disagree and reject that argument. We have a good solution, and we're burning our limited goodwill on snakeoil. 2/2
-
-
One of the main reasons this is still an argument over what advice to give people is the lack of companies supporting solutions like U2F, even most major banks only support weak/limited passwords + SMS 2FA. So people recommend it as a reduction of risk, however small that may be.
1 reply 0 retweets 0 likes -
Replying to @TibitXimer @taviso and
These debates too often boil down to an infosec professional’s recommendation amounting to, “well if you can’t afford to implement all these best possible solutions you shouldn’t even be in business.” Sometimes it takes time to get there, and good enough just has to do until then
1 reply 0 retweets 0 likes -
Replying to @TheVega @TibitXimer and
Very strongly disagree, who would ever say that? I've never met anybody who argues it's perfection or nothing, most people in security are practical and realists. The debate here is that 2FA is *not* better than nothing.
2 replies 0 retweets 4 likes -
Replying to @taviso @TibitXimer and
It’s never said verbatim, but it often goes that direction. I’m saying not every attacker will know how to bypass 2FA, which is flimsy AF, but that it is still better than nothing in some cases and situations.
1 reply 0 retweets 0 likes -
Replying to @TheVega @TibitXimer and
I really think you're misunderstood what someone was saying, who wouldn't pick a minor improvement if the only two options are nothing or improvement? However, I would pick "nothing" if the only options are nothing or homeopathy.
1 reply 0 retweets 0 likes -
Replying to @taviso @TibitXimer and
Perhaps I misconstrued something, but I think comparing 2FA to homeopathy is incorrect. 2FA is not as strong a solution as it was, it’s not ideal, and it’s not going to protect anything, but it is better than nothing if options are limited or cost of moving forward is prohibitive
2 replies 0 retweets 2 likes -
Example; most bank customers are limited to 2FA. Is it ideal? No. But maybe for the bank it’s an acceptable cost/risk rather than trying to move to something better. Gross oversimplification here but if my password is written on a post it but someone can’t just pick up my phone
1 reply 0 retweets 0 likes -
Replying to @TheVega @TibitXimer and
2FA doesn't solve the problem, but it might stop the attack that worked yesterday. However, so would requiring all users to type "banana" into a form when they login. If we can't agree that 2FA is trash, can we agree that 2FA is about as secure as BFA? (Banana factor auth
)1 reply 0 retweets 0 likes -
Replying to @taviso @TibitXimer and
It’s not just about solving the problem. It’s about just making it cost more in time/knowledge/resources on the part of the attacker’s to fall in line with your risk appetite. I agree it’s fucking stupid, but yes it still is better than nothing if it’s what you already have.
1 reply 0 retweets 0 likes
I guess we're on the same page then. IIUC, I think you shouldn't inconvenience users and burn goodwill that could be used in future to rollout real solutions, but you think it's worth it. I think if you can rollout 2FA but not U2F, then just do user education for now!
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.