Never. 2FA is a suicide pact for any online service if it doesn't have high touch customer service like a bank. A certain fraction of users will be locked out without recourse each month and the user base will decay like a radioisotope. Every time a service requires 2FA I rethink if I want to stay with it.
> Every time a service requires 2FA I rethink if I want to stay with it.
I’m sure you feel the same about locks on your car and on your home. I mean, those silly keys, eh? They get so much in the way of going in and out and just using those things. Better if we dispensed with keys entirely, and just left everything unlocked and instantly available.
Look if I get locked out with real keys and locks I can call the locksmith and get the situation resolved.
If I get locked out of Google or Amazon or Facebook I can talk to the hand at best with no recourse at all. A lot of 2FA hardware is garbage, like the Yubikey I had that had the hole attaching it to my keychain worn out in less than two years -- it could have fallen away and been lost.
For the rest of us, probably just simple / basic password complexity and some attempt at detecting brute force if that is not already a thing. My personal preference for any site would be to also have an option for cidr/IP approve-list.
Doxxing. Posing as you, to get you fired or otherwise affect your reputation, especially if there is already a traceable connection to your meatworld persona. As a first step in a fraud scheme. To leverage social credibility to affect others.
The options are varied, and are really only nerfed by obscurity of both the platform and your handle in terms of its doxxability.
I’m sure you feel the same about locks on your car and on your home. I mean, those silly keys, eh? They get so much in the way of going in and out and just using those things. Better if we dispensed with keys entirely, and just left everything unlocked and instantly available.
If I get locked out of Google or Amazon or Facebook I can talk to the hand at best with no recourse at all. A lot of 2FA hardware is garbage, like the Yubikey I had that had the hole attaching it to my keychain worn out in less than two years -- it could have fallen away and been lost.
For the rest of us, probably just simple / basic password complexity and some attempt at detecting brute force if that is not already a thing. My personal preference for any site would be to also have an option for cidr/IP approve-list.
The options are varied, and are really only nerfed by obscurity of both the platform and your handle in terms of its doxxability.