I'm glad U2F is the enemy of 2FA, this argument doesn't sway me. Just saying "2FA is a great solution" isn't a good argument, you have to explain why it's so wonderful, because all I see is a non-solution that is destroying the limited goodwill we have with users.
-
-
I acknowledge your point about limited goodwill, and 2FA is absolutely not secure enough for some orgs. But I think 2FA is our best chance to convert the 90% of orgs that are on 1FA, and can be a stepping-stone (especially for training users) on the path to U2F. Crawl-walk-run.
2 replies 0 retweets 0 likes -
Do you remember the old idea of "security images"? Users were prompted to select an image that they would see when they login, proving the site was authentic. Here is an article about it: https://www.marketwatch.com/story/banks-find-online-security-images-offer-little-protection-2015-11-05 …. It was easy to implement, so lots of banks did, but it's trash.
1 reply 0 retweets 0 likes -
The same thing will happen to 2FA, it will get wide enough adoption until it's worth supporting in phishing kits (e.g. see https://github.com/drk1wi/Modlishka …) and then we'll have to move on to the next trash idea. U2F is a real solution, it's not a fad, it solves phishing.
2 replies 0 retweets 0 likes -
We can keep asking people to implement the next cheap stepping stone and then say "oops, never mind, next trash thing is four factor security sounds", or we can say "This is a little harder to implement but the problem will be solved". Is it really so crazy to argue for that?
1 reply 0 retweets 0 likes -
We should absolutely argue for U2F. But when we’re told “no”, we should still argue for 2FA.
1 reply 0 retweets 0 likes -
Hmm, weren't you just arguing that "U2F is becoming the enemy of 2FA"? It seems like I might have swayed you slightly?
2 replies 0 retweets 0 likes -
Perhaps we have convinced you that 2FA is better than 1FA for orgs that have not accepted that U2F is in their future?
1 reply 0 retweets 0 likes -
I don't think so, I know how 2FA works, that's not the issue. It seems like we both agree 2FA is bad, but you argue we should blow our goodwill and budget on the latest fad diet, and I argue prudence, thinking longterm and conserving resources is sometimes the right move.
1 reply 1 retweet 2 likes -
2FA isn’t bad. It’s better than 1FA, and worse than U2F. But it’s cheap and easy to implement, which makes it a good option for orgs than are not on a path to U2F. It’s pragmatic.
1 reply 0 retweets 0 likes
I think we're just going in circles, let's just leave it here 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
