But if I can cheaply implement even sms based 2FA and it stops just a handful of attackers while I work towards a full on U2F solution the answer is yes. Part of that good will is accurately conveying the risks and trade-offs.
Frankly, "Surely you get this?" Doesn't read like you want a good faith discussion. Nevertheless, I will repeat (again again) that the issue here is that we do not have unlimited goodwill to burn, and cannot continually ask users to adopt new solutions to the same problems.
-
-
If it did, we could just cause temporary lull after lull with more nonsense schemes and that would be good enough. We can't. U2F is a real solution to phishing, it actually works and isn't just temporary busy work for attackers.
-
Remember "security phrases"? It "solved" phishing by making users type in a phrase or image to prove it was the real site. It was trash, just like 2FA, but attackers had to change scripts and maybe Chris will argue was a deterrent, I don't know. Do you think this is sustainable?
- 9 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

