How would you do this for historical accounts? 2FA needs to be set up by users. It has gone through multiple iterations over the past 2 decades and was not always standard practice. 23andme was founded in 2006.
Send out increasingly loud notices ahead of time, and try to come up with a secure recovery procedure for the many customers who will fail to react to them. It's not going to be cheap. But losing some kinds of data should be even more expensive.
The thing is, attackers don't need 20%. The article says they used 14k accounts with previously cracked passwords to uncover data of 7 million customers: that's 0.2%
Doing low-hanging fruit isn't enough here. Honestly I just don't feel like the time is right to build such big DNA databases yet. Maybe one day with quantum encryption (can't observe the state without modifying it) or whatever else we may figure out, but today it just seems like you're taking a risk for yourself and half a dozen layers of relatives
2. Send a postcard to the billing address where you signed up (verified against credit reports) with a one time verification code, upon which some second factor is set up. Maybe put 20 "rescue codes" on the postcard too, if you like.
3. Force user to enable some sort of second factor authentication on their next login.
I’ve had sites that do forced password resets and other annoying things when I come back after years.
23andme bears responsibility more than users like banks bear more responsibility for customers choosing stupid pins. DNA info is valuable they need to design good safeguards.
morsch|2 years ago
cced|2 years ago
Doesn’t feel like an unsolvable problem, certainly not one without edge cases but surely we can hit 80/20 without too big a hassle.
Aachen|2 years ago
Doing low-hanging fruit isn't enough here. Honestly I just don't feel like the time is right to build such big DNA databases yet. Maybe one day with quantum encryption (can't observe the state without modifying it) or whatever else we may figure out, but today it just seems like you're taking a risk for yourself and half a dozen layers of relatives
op00to|2 years ago
2. Send a postcard to the billing address where you signed up (verified against credit reports) with a one time verification code, upon which some second factor is set up. Maybe put 20 "rescue codes" on the postcard too, if you like.
3. Force user to enable some sort of second factor authentication on their next login.
vel0city|2 years ago
prepend|2 years ago
23andme bears responsibility more than users like banks bear more responsibility for customers choosing stupid pins. DNA info is valuable they need to design good safeguards.
bookofjoe|2 years ago
mirekrusin|2 years ago