This is a misunderstanding. You can’t possibly know if there’s been a benefit, because you wouldn’t know unless your account was compromised. The mere presence of 2fa on an account will stop credential stuffing attacks dead in their tracks.
It’s like saying “this lock on my door is pointless because nobody has broken into my house”.
No it would be more like having the key to my house, but after I use the key I can’t get in and have to wait for a text and verification email before my door opens
More like using a key that hasn’t been used in I over 30 days and needing to wait on a text/email.
Also text or email is a bad second factor and an implementation problem. TOTP is better. Passkeys way better and are so simple once you start using them.
Yep your rarely used vacation house needs an extra step given how rarely it’s used.
Passwords are a miserable and lazy solution. The point was; they are cheap and easy to implement. I highly recommend dropping them whenever possible and switching to Passkeys, oAuth, SAML anything even a tiny bit harder to compromise.
Their analogy is from the perspective of an authorized user complaining about inconvenience, completely ignoring the things I was addressing (their statement that 2fa provides no benefit)
they said it provides no benefit to them…
and i get it - for some things, maybe you don’t need “all the security” … just “enough” of it.
for example; i might not need any lock on my laundry room door, i might choose a privacy lock on my toilet room door (no key required to unlock), but i will fit an additional a deadlock on the front door. each has a level of security that i deem to be appropriate.
they asserted their opinion about MFA as it pertained to them, not in general.
I’m not talking about appropriate security posture for a given individual though. I’m speaking specifically to their claim that it has provided “no benefit”, and that is a claim they cannot even prove. Whether the benefit is negligible, because the account(s) are unimportant to them, or massive, because they are dealing with financial institutions, is completely irrelevant to the veracity of the statement.
I find this line of argument especially ridiculous considering that they are apparently using MFA enough for it to be worth commenting about the nuisance. So either they are using it a lot, in many places, and definitely can’t back up a “no benefit” claim, or they’re using it very little and/or only for unimportant accounts, at which point their claim is saber rattling at best, and misleading to others at worst.
I just think it’s funny how this is literally my job and you think you know better xD
Your metaphor is garbage and makes no sense because you are providing the perspective of an authorized user while I’m speaking about attackers.
You think that because your house hasn’t been broken into that the locks are pointless. But it’s the locks that keep your house from being broken into
I literally have this conversation with dumbass leadership on a regular basis; how the absence of security compromise isn’t a reason to cut security, but rather proof that the security is working
The clunky user experience in the analogy isn’t wrong but is focused on the wrong thing, having locks is already an annoying user experience.
Having to carry keys everywhere and juggle shopping when opening my door sucks. It would suck more if someone entered my house and stole my stuff so I accept the trade off.
It’s the same with MFA. We all accept a worse user experience for significantly improved security.
It’s been nothing but a headache for me with no benefit
This is a misunderstanding. You can’t possibly know if there’s been a benefit, because you wouldn’t know unless your account was compromised. The mere presence of 2fa on an account will stop credential stuffing attacks dead in their tracks.
It’s like saying “this lock on my door is pointless because nobody has broken into my house”.
No it would be more like having the key to my house, but after I use the key I can’t get in and have to wait for a text and verification email before my door opens
More like using a key that hasn’t been used in I over 30 days and needing to wait on a text/email.
Also text or email is a bad second factor and an implementation problem. TOTP is better. Passkeys way better and are so simple once you start using them.
So if you go on vacation your house key doesn’t work anymore? What is the point of a password if it doesn’t get you in?
Yep your rarely used vacation house needs an extra step given how rarely it’s used.
Passwords are a miserable and lazy solution. The point was; they are cheap and easy to implement. I highly recommend dropping them whenever possible and switching to Passkeys, oAuth, SAML anything even a tiny bit harder to compromise.
Ok. Why don’t you try explaining how digital security works to the security professional some more. I’m sure you’ll convince me real soon 😜
I’m a security professional also, i don’t see the issue with their analogy?
Their analogy is from the perspective of an authorized user complaining about inconvenience, completely ignoring the things I was addressing (their statement that 2fa provides no benefit)
they said it provides no benefit to them… and i get it - for some things, maybe you don’t need “all the security” … just “enough” of it. for example; i might not need any lock on my laundry room door, i might choose a privacy lock on my toilet room door (no key required to unlock), but i will fit an additional a deadlock on the front door. each has a level of security that i deem to be appropriate. they asserted their opinion about MFA as it pertained to them, not in general.
I’m not talking about appropriate security posture for a given individual though. I’m speaking specifically to their claim that it has provided “no benefit”, and that is a claim they cannot even prove. Whether the benefit is negligible, because the account(s) are unimportant to them, or massive, because they are dealing with financial institutions, is completely irrelevant to the veracity of the statement.
I find this line of argument especially ridiculous considering that they are apparently using MFA enough for it to be worth commenting about the nuisance. So either they are using it a lot, in many places, and definitely can’t back up a “no benefit” claim, or they’re using it very little and/or only for unimportant accounts, at which point their claim is saber rattling at best, and misleading to others at worst.
And I’m the queen of France.
Oh shit im talking to a master hacker! How could I have been so foolish??
Nobody cares
I just think it’s funny how this is literally my job and you think you know better xD
Your metaphor is garbage and makes no sense because you are providing the perspective of an authorized user while I’m speaking about attackers.
You think that because your house hasn’t been broken into that the locks are pointless. But it’s the locks that keep your house from being broken into
I literally have this conversation with dumbass leadership on a regular basis; how the absence of security compromise isn’t a reason to cut security, but rather proof that the security is working
But go off, dude. You just look like a fool
The clunky user experience in the analogy isn’t wrong but is focused on the wrong thing, having locks is already an annoying user experience.
Having to carry keys everywhere and juggle shopping when opening my door sucks. It would suck more if someone entered my house and stole my stuff so I accept the trade off.
It’s the same with MFA. We all accept a worse user experience for significantly improved security.
Is it really so bad? I enable it wherever I would care if my account was gone. It’s only annoying to me when I can’t use my own TOTP app.