💾 Archived View for dioskouroi.xyz › thread › 29396951 captured on 2021-11-30 at 20:18:30. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
________________________________________________________________________________
This may be an area where government regulation is needed, because otherwise service providers have the wrong incentives. Many service providers save a lot of staff costs (for staff who would otherwise be working on any aspect of recovery from account takeover attacks) by requiring a 2FA technology that's acceptable to a huge fraction of their user base. They have no economic incentive for allowing anyone to opt out of 2FA. Regulation might, for example, consider these three factors, among many others:
1. If users rely on the app for basic needs of existing in society, then 2FA must not be mandatory. A user who remembers their password, but has absolutely no continuity of any physical possessions or physical location, must be allowed to login (unless there has already been an account takeover that caused damage to the service provider). Some level of government subsidy might be available to service providers who can meet this requirement.
2. Apps that are more specialized or recreational in nature can make 2FA mandatory.
3. 2FA can be mandatory if the service provider does not obtain any revenue by offering the app.
(These are just initial thoughts, not a complete specification of what regulations would be reasonable.)
The assumption that people will have consistent access to the same mobile number simply isn’t true for a lot of people.
Why does this matter, unless the only options for 2FA are insecure ones? Secure 2FA today won't depend on your phone number not changing.
Phones cost money. So do phone plans.
Google Authenticator and FreeOTP work even without network connectivity, so no phone plan is needed.
Phones break or get stolen.
Isn't this what backup codes are for?
it's an act of marginalization
Is requiring that drivers carry liability insurance also "an act of marginalization" since it's a problem for people who can't afford to?
And from a reply:
My grandfather is literally locked out of a bank account right now because he no longer has the right phone, cannot remember his secret answer, and cannot physically visit a branch of this bank.
Isn't it actually a good thing that under those circumstances, he's locked out? If he could get into his bank account without any of those things, then couldn't someone who's trying to impersonate him easily do the same?
> Why does this matter, unless the only options for 2FA are insecure ones? Secure 2FA today won't depend on your phone number not changing.
The issue is the same with any kind of 2FA software or device.
If you lose, break, or replace your smartphone that has your 2FA app on it, you lose access to everything.
If you don't have a smartphone (likely to be the case for a lot of the people this Twitter thread is talking about), you have to get some kind of OTP generator device/dongle - which can also be lost.
Sure, but the tweet specifically said "consistent access to the same mobile number", not to the same device.
> Google Authenticator and FreeOTP work even without network connectivity, so no phone plan is needed.
You still need a trusted, personal device to use those apps.
What if you don't have a personal device at all, how do you check your e-mail at a library?
It‘s quite hard to provide a second factor if you can‘t have any belongings because you either lose them or they get stolen (eg. homeless people battling addiction). Personal devices and yubikeys are ruled out. Biometric features could be another factor, although hard to implement.
At a library, a staff member could create authenticator codes for people who often visit and are recognized by the staff. The visitor would then request to see the code if they need it. Of course this is a lot of effort for the library to identify people and the visitors must rely on their local library, they still can’t access their e-mail if they are on a device somewhere else.
Really like this idea!
Could you solve the identity problem with a real key, like for a safe deposit box, but unlocks a 2fa key?
I am all for taxpayer funded "everyone gets a WebAuthn token or two to put on keychain" and _requiring_ banks and tax authorities use it. No SMS, ever.
People in USA would literally riot if required to carry around a government issued dongle.
Meanwhile they carry around literal spyware with FB, IG, Twitter, Alexa, Google Assistant, etc 24/7 and can't bear to be away from it for five minutes voluntarily.
There are a lot of ways to do 2FA that don't require a mobile phone. Does anyone remember the verisign key dongles?
Or for example one bank here in Switzerland will give you a calculator looking device where you insert your bank card, enter a challenge set of numbers, then enter your pin and get back a other set of numbers to enter where you are logging in. Might seem cumbersome but doesn't require a phone.