It is worth it if you will burn that good will by pushing for U2F in a situation where 2FA has already been in place and has proved sufficient for the current threat model, risk appetite and budget.
Do you remember the old idea of "security images"? Users were prompted to select an image that they would see when they login, proving the site was authentic. Here is an article about it: https://www.marketwatch.com/story/banks-find-online-security-images-offer-little-protection-2015-11-05 …. It was easy to implement, so lots of banks did, but it's trash.
-
-
The same thing will happen to 2FA, it will get wide enough adoption until it's worth supporting in phishing kits (e.g. see https://github.com/drk1wi/Modlishka …) and then we'll have to move on to the next trash idea. U2F is a real solution, it's not a fad, it solves phishing.
-
We can keep asking people to implement the next cheap stepping stone and then say "oops, never mind, next trash thing is four factor security sounds", or we can say "This is a little harder to implement but the problem will be solved". Is it really so crazy to argue for that?
- 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
