On Mon, Aug 26, 2024 at 10:35 PM Viktor Dukhovni via mailop < mailop@mailop.org> wrote:
> On Tue, Aug 27, 2024 at 06:18:01AM +0200, Bryan Holloway via mailop wrote: > > > The password is correct, but it insists on verification from this user's > no > > longer existing cellphone. Yet the back-up account exists. For some > reason > > gmail refuses to try and use it, which would solve the underlying problem > > ... > > Welcome to two-factor denial of service. I try to resist signing up for > such baked-in disasters as much as I can, but the powers that be (hello > GitHub) have made it impossible in many cases. > > It is a sad state of affairs that no opt-out is available for users who > manage strong per-site passwords, and prize long-term availability over > often dubious security advantages of said 2nd-factors. > For one, having your account hijacked doesn't just affect your account, such accounts are used for various nefarious purposes, including fraud and spam. So, you can't just say "I don't care if my account is hijacked". Password strength is also useless against a number of hijacking mechanisms. On top of that, if you make such an opt-out available, the people using it are not going to be the people who have a level of know-how to even come close to being safe. I'd also say that maybe the folks who might have that level of opsec are actually more paranoid about using 2FA. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
