I have no idea what your argument is, it's obvious to everyone that 2FA and U2F are not widely deployed. I'm saying we should put the limited wood we do have behind the arrows that actually work, U2F.
-
-
I'm saying that U2F is becoming the enemy of 2FA, when either is better than what 90% of orgs are actually doing. 2FA is a great solution for SMBs that *maybe* get a security review 1x per year because it can be rolled out same-day and is probably adequate given the risk profile.
1 reply 0 retweets 0 likes -
I'm glad U2F is the enemy of 2FA, this argument doesn't sway me. Just saying "2FA is a great solution" isn't a good argument, you have to explain why it's so wonderful, because all I see is a non-solution that is destroying the limited goodwill we have with users.
1 reply 0 retweets 0 likes -
I acknowledge your point about limited goodwill, and 2FA is absolutely not secure enough for some orgs. But I think 2FA is our best chance to convert the 90% of orgs that are on 1FA, and can be a stepping-stone (especially for training users) on the path to U2F. Crawl-walk-run.
2 replies 0 retweets 0 likes -
Do you remember the old idea of "security images"? Users were prompted to select an image that they would see when they login, proving the site was authentic. Here is an article about it: https://www.marketwatch.com/story/banks-find-online-security-images-offer-little-protection-2015-11-05 …. It was easy to implement, so lots of banks did, but it's trash.
1 reply 0 retweets 0 likes -
The same thing will happen to 2FA, it will get wide enough adoption until it's worth supporting in phishing kits (e.g. see https://github.com/drk1wi/Modlishka …) and then we'll have to move on to the next trash idea. U2F is a real solution, it's not a fad, it solves phishing.
2 replies 0 retweets 0 likes -
We can keep asking people to implement the next cheap stepping stone and then say "oops, never mind, next trash thing is four factor security sounds", or we can say "This is a little harder to implement but the problem will be solved". Is it really so crazy to argue for that?
1 reply 0 retweets 0 likes -
We should absolutely argue for U2F. But when we’re told “no”, we should still argue for 2FA.
1 reply 0 retweets 0 likes -
Hmm, weren't you just arguing that "U2F is becoming the enemy of 2FA"? It seems like I might have swayed you slightly?
2 replies 0 retweets 0 likes -
Perhaps we have convinced you that 2FA is better than 1FA for orgs that have not accepted that U2F is in their future?
1 reply 0 retweets 0 likes
I don't think so, I know how 2FA works, that's not the issue. It seems like we both agree 2FA is bad, but you argue we should blow our goodwill and budget on the latest fad diet, and I argue prudence, thinking longterm and conserving resources is sometimes the right move. 
-
-
2FA isn’t bad. It’s better than 1FA, and worse than U2F. But it’s cheap and easy to implement, which makes it a good option for orgs than are not on a path to U2F. It’s pragmatic.
1 reply 0 retweets 0 likes -
I think we're just going in circles, let's just leave it here
1 reply 0 retweets 1 like - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.