But if I can cheaply implement even sms based 2FA and it stops just a handful of attackers while I work towards a full on U2F solution the answer is yes. Part of that good will is accurately conveying the risks and trade-offs.
We can keep asking people to implement the next cheap stepping stone and then say "oops, never mind, next trash thing is four factor security sounds", or we can say "This is a little harder to implement but the problem will be solved". Is it really so crazy to argue for that?
-
-
We should absolutely argue for U2F. But when we’re told “no”, we should still argue for 2FA.
-
Hmm, weren't you just arguing that "U2F is becoming the enemy of 2FA"? It seems like I might have swayed you slightly?

- 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.