On Wed, Aug 28, 2024 at 12:03:01PM -0700, Brandon Long wrote: > > Welcome to two-factor denial of service. I try to resist signing up for > > such baked-in disasters as much as I can, but the powers that be (hello > > GitHub) have made it impossible in many cases. > > > > It is a sad state of affairs that no opt-out is available for users who > > manage strong per-site passwords, and prize long-term availability over > > often dubious security advantages of said 2nd-factors. > > For one, having your account hijacked doesn't just affect your > account, such accounts are used for various nefarious purposes, > including fraud and spam. So, you can't just say "I don't care if my > account is hijacked".
That's very much NOT what I am saying. Rather, I'm saying that my passwords are: - Strong, randomly generated - Well managed, with no reuse across accounts - Backed up encrypted - Are not tied to particular "devices" or authentication "apps" that may not last multiple decades. I care to keep my account indefinitely, and current second factors don't in my view clearly possess demonstrate the requisite longevity. > On top of that, if you make such an opt-out available, the people > using it are not going to be the people who have a level of know-how > to even come close to being safe. That's precisely the power imbalance of market concentration. When you have hundreds of millions of "users", no one of them is sufficiently important. > I'd also say that maybe the folks who might have that level of opsec > are actually more paranoid about using 2FA. You're hearing from a counter-example. -- Viktor. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop