Dom says we are WAY OFF on 2FA

Guys, I’m usually all-in with the “get off my lawn” mentality, but your take on 2FA and its “challenges” is narrow-minded IMO. In this case, using Google Authenticator was a bad choice as the app had one update in 2017, one in 2020, and then in 2022. I mean, I’m surprised Google hasn’t killed it yet.

Username and password was enough for the early internet era, but increasingly our daily lives involve the digital realm. With this comes more and more data breaches, account compromises, and our lives being negatively impacted.

While its great to use strong complicated unique passwords for every site, the reality is people don’t and we have to acount for the lowest common denominator. Furthermore, your “secret” is only as strong as the weakest link in the chain. For example, storing passwords using weak hashes, no salting, or plain text. A lot of SaaS services are moving to enforce 2FA for their accounts (the company I work for included). The reason being, account compromises take a lot of man-hours to cleanup.

We used to require 6 characters, then 8, then numbers and special characters. 2FA is the next step, with webauthn hopefully being more adopted in the near future. I recommend using Authy (owned by Twilio) if you don’t want to think about backups and have multiple devices, or Aegis for power users. Lets not spread FUD and embrace the technologies that help keep our digital lives safe, private, and secure.

PS Mike, congrats on getting married