On Tue, Nov 3, 2020 at 07:52 AM, Bruce Bowman wrote:
Jeff -- It just seems to me, if you're the kind of person who does things like that, no amount of security questions or login factors is going to work.Obviously what I have said (require the OTP to turn off 2FA) does stop the intrusion that I explained. So I don't know why you are pretending that is not enough security for that.
If you are just saying, "Gee, sound like nothing is completely secure" then welcome to reality. If you did your research you'll find that has always been taught.
Only question people are debating here is that you want to allow disabling 2FA without having 2FA because of course people do lose their secret key and maybe they are still logged in somewhere, right? You want convenience in exchange for less security.
I am saying simply yes we do want the full two factor authentication security (by requiring the OTP to disable it).
For the plethora of folks who lose it (I have lost it in the past), this is another very important question. How do you plan for support to authenticate them, so they are not resetting it for the sake of a hacker pretending to be the owner? There needs to be yet another factor.
Typically this other factor is to assume that only the owner would get the email in that email account. Problem of course is that if you use 2FA on everything and you just lost Google Authenticator, you probably just lost access to your email too. It's all about planning. Because too many don't plan, we end up losing security because support gives in and starts resetting passwords without knowing if it's for the right person.