top | item 42854711

(no title)

gtsteve | 1 year ago

Email is not a good second authentication factor anyway. I have 6 u2f tokens on my high priority digital accounts, as well as printed recovery codes in several places. Only 1-2 tokens ever actually travel with me, the others are kept safely in different locations.

Given that most people are cracked wide open if their password manager is compromised, I do feel it's sensible for a password manager to insist on 2FA, but the email chicken and egg problem is a concern for those migrating, and hopefully they backed up their recovery codes.

discuss

rsync|1 year ago

Email can be a perfectly good second authentication factor.

It depends on the asset you’re protecting and your threat model.

I have quite a few accounts whose value does not cross a threshold where I care about the risks of email… and my workflows would be enhanced dramatically if I could use it as a second factor.

The reason I can’t is not because of security or anything at all to benefit me, the user. It is because the services themselves need to throw sand in the gears of the bad actors abusing their services.

lxgr|1 year ago

It's much better than SMS in many cases.

My email address can't be SIM swapped, my emails aren't transmitted using weak 90s encryption algorithms over the air (and via dubious, largely unauthenticated 80s protocols on the wire), and my mailbox is itself guarded by 2FA.