I don’t mind the extra layer of security, and actually prefer it. The only exception is when the site/service only allows SMS or email delivery, and won’t let me use an auth app.
This is a pretty terrible take… if you take just a little bit of time to set up a password manager and use the browser plugin it is all just one password away. I actively seek out additional 2FA because it’s just simple and seamless, where my password manager will put the TOTP code on my clipboard ready to paste, or it’ll automatically pop up when the site asks for a passkey (like Google, referenced in the article).
Just sounds like this dude is whining about a problem that he doesn’t want to solve for himself.
Security and convenience will forever be on opposing sites of a spectrum. You can move alongside the spectrum but more of one thing will mean less of the other. That’s just a fact.
I gotta disagree with you there, my online life is by far more convenient now that I have it all organized and stored in a password manager. So much less to remember and so many fewer roadblocks now that I don’t have to remember usernames and passwords.
Even my mom swears by how much more convenient it is to have a password manager and she’s not what you would call “tech savvy”
The hassle and delay is part of how it works. If there was a seamless catch all then it wouldn’t be feasible to make it secure.
Having a second physical factor, as much as it can be a hassle, is much better than any single factor.
Your password can be breached, brute forced, bypassed if there’s an issue somewhere.
Your biometrics can’t be changed so anything that breaks them (such as the breach of finger prints in databases, etc) makes them moot.
A single physical token can be stolen and/or potentially cloned by some attack in physical proximity (or breach of an upstream certificate authority)
But doing multiple of those at the same time. That’s inordinately much harder to do.
I will say the point/gist of the article is a good one. The variety of types some used here and others used there does make it a hassle to try to wrangle all the various accounts/logins. Especially in their corporate and managed deployment which isn’t saving passwords and has a explicit expiration of credential cache (all good things)
“Allow me to introduce myself.”
~ Three Factor Authentication
As a game designer, I would prefer my security be maintained through an elaborate series of puzzles.
It’s all fun and games until the giant, hulking, unkillable zombie mutant starts stalking you and suddenly that elaborate lock involving 13 different Renaissance paintings arranged through a hallway under different colored lights seems vastly inferior to just having a fucking key and normal lock.
Umbrella Corp. Security Specialist: “Okay, but what if you lose the key?”
