> Good - 2FA is the responsibility of the user and resetting it kind of invalidates the security it helps bring.
Actually, no. This is a terrible idea.
Think about the psychology of what you are telling people: "You have two choices - one is normal security, which you use on 80%+ of the rest of the internet, and one is 2fa which you only use on the annoying services that badger you into it. On the first one, if you lose your password you can do a password reset. On the second one, if your laptop and phone get fried in a rainstorm / car crash / act of children, you lose access to everything forever, no recourse and no recovery. And by the way, we totally encourage you to choose the second one... "
Yes, online services that store credentials and backup passwords mitigate this somewhat, but they also add an attack vector via keyloggers, or make you dependent on the third party's security measures.
And I probably don't need to point out to the HN crowd just how badly internet services are moving towards no-recourse solutions to petty problems to save money. Yet another one doing this is not a good thing.
The correct fix is to make the better option less annoying. You can do this today with WebAuthn. Here's the steps to sign in to a WebAuthn-enabled site with say a Pixel 2:
1. Go to the site
2. Touch the "Sign in" button
3. When prompted touch the fingerprint sensor
That's it. Did a bunch of complicated stuff happen? Yes, but the user didn't do any of that, so they needn't care.
You can get a slightly more bothersome PIN prompt in Windows with a FIDO2 Authenticator (entering your PIN serves the same purpose as providing a fingerprint, neither a PIN nor a fingerprint leaves your device), or you can lose the convenience and do traditional two separate factors.
I think you should call the authorities to report that your local zoo or safari park is poorly managed if this keeps happening so that it interferes with how you regularly use web sites.
More seriously - yes, you still need a more complicated recovery procedure for extraordinary cases, but these are now truly extraordinary cases, rather than, as the original thread claimed, just a routine nuisance for the user.
It is of course up to people if they want to enable additional security and of course have to put up with increased friction and difficulty.
Myself I consider what would it mean if someone got access to my Github, Gitlab, and/or email accounts and have decided that I will put up with the cost (buying U2F tokens) and hassle (having to use the U2F token to login).
The alternative is the much higher chance that someone could at some point get into one of my accounts.
but! how many keys to your car or to your home have you got? i'm willing to wager that you've got more than one. in the same way you never should have one key to your account, especially with hardware keys, but 2fa code apps should also apply.
At any non-shady dealership, you should presumably have to give some sort of evidence that you own the car in question (registration documents etc. and ID matching the name on the registration). For many online accounts, you probably don't need (or want) to give ID when creating account, so that's out as a way to prove ownership when attempting to recover. So how else do you prove ownership?
I did this recently actually, bought a car where the owner only had a valet key. Had to email them a copy of my registration, my driver's license and the VIN, and they ordered me a new key.
For important accounts I wonder if we should have the ability to tie them to a physical address or something else possible to verify.
> . On the second one, if your laptop and phone get fried in a rainstorm / car crash / act of children, you lose access to everything forever, no recourse and no recovery.
No. I just use my U2F token that I have on my keychain. Or the one I have in my office. Or the one I have in my safe.
I also backup my TOTP codes using GPG and my Yubikey can store up to 32 TOTP codes on it.
That's an argument that works well for getting an MVP out the door, not so well if a company decides to make their product worse to save a little money.
I use randomly generated passwords that are unique per site. It is more likely for someone to socially engineer the site support (or the registered mail account) than to guess it.
Another annoying thing is that some sites do not consider your password enough even if you do not have 2fa enabled and they insist on sending you a mail (thanks github! - I can't connect to my account there because the registered mail was in my old domain) or an sms (thanks google/twitter! I had not even provided my phone number yet somehow giving it to you will verify that it's me)
Actually, no. This is a terrible idea.
Think about the psychology of what you are telling people: "You have two choices - one is normal security, which you use on 80%+ of the rest of the internet, and one is 2fa which you only use on the annoying services that badger you into it. On the first one, if you lose your password you can do a password reset. On the second one, if your laptop and phone get fried in a rainstorm / car crash / act of children, you lose access to everything forever, no recourse and no recovery. And by the way, we totally encourage you to choose the second one... "
Yes, online services that store credentials and backup passwords mitigate this somewhat, but they also add an attack vector via keyloggers, or make you dependent on the third party's security measures.
And I probably don't need to point out to the HN crowd just how badly internet services are moving towards no-recourse solutions to petty problems to save money. Yet another one doing this is not a good thing.