And what if an attack that could have been stopped by a basic 2FA implementation succeeds and costs you? Or doesn’t immediately cost you, but the reputational impact of the breach impacts revenue? You may be okay with that. Not everyone will be, or can be.
-
-
Please stop trying to turn this into a "don't let perfect be the enemy of the good" debate. That is not the issue. What about all the illnesses that could have been stopped by homeopathy? Not everyone will be okay with that Chris, get out of your ivory tower.
1 reply 0 retweets 0 likes -
Notice how it doesn't make any sense, because homeopathy doesn't cure any illnesses? That's intentional, think about it
1 reply 0 retweets 0 likes -
But your entire point here is that 2FA “does nothing”, which is categorically false. The argument is absolutely making perfect the enemy of good. 2FA is not a perfect solution but it succeeds in numerous scenarios right now.
1 reply 0 retweets 0 likes -
No, it is not "categorically false", that is just your opinion and I disagree. Let's just leave it here, we're just going in circles.
1 reply 0 retweets 0 likes -
Tavis, this is a popular experience for InfoSec pros in orgs where something is better than nothing. But you appear (maybe wrongly) to be denying this. I know what your argument is but it isn’t bein played out in the same universe as the majority of us. Surely you get this?
2 replies 0 retweets 1 like -
Most orgs can’t always afford to ‘save up and buy something better later’ — attackers don’t wait, budgets aren’t a certainty, politics can change, talent can be lost — most InfoSec teams have to try to reduce risk against their risk model, even sometimes w/ imperfect solutions.
1 reply 0 retweets 2 likes -
Replying to @TibitXimer @DSonBlue and
SMS 2FA is bad. But it can reduce risk still. Example idea can be Netflix. People reuse passwords often, that won’t change soon — it gets breached, someone automates testing against those to get a list of Netflix accs to sell — SMS 2FA can save users in this case.
1 reply 0 retweets 2 likes -
Replying to @TibitXimer @DSonBlue and
Are there ways around it? Yes, but if it stops the common attacks like this from being successful then it has helped reduce risk to an extent. Imperfect as it may be. Today we have better solutions, so now we have to push orgs to implement them so we can protect users better.
1 reply 0 retweets 1 like -
Replying to @TibitXimer @DSonBlue and
2FA is a terrible solution to the problem of password reuse, and not a solution at all to phishing. I think we agree on this. Where we disagree, is that I think we need to be careful not to burn our limited goodwill on trash, we can't ask users to adopt infinite solutions.
1 reply 0 retweets 0 likes
Apparently you believe it's fine to burn all that goodwill to cause attackers some temporary busy work. That is the debate, and this is the umpteenth time I've repeated it 
-
-
We agree in that. The only way we’re going to solve this problem is to figure out what the best solution is to the problem and making the barrier of implementation as affordable and simple as possible so more companies will adopt it and pressure them to do so sooner.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.