I have no obligation to appease anyone.
I am generally polite because it’s the ethical thing to do.
I don’t even think what I did was mock them. I merely pointed out they wasted their time making a point I already answered for.
I’m not dogmatic. I’m well-informed.
Here’s one of the thing I said about the threat model.
While I think that should be enough here is verbatim what I answered over on this discord:
Just wanted to make a comment to be as crystal clear as I can.
With what happened, it was malware that was an infostealer. It stole session tokens to gain access to accounts that were already authenticated sessions.
MFA would not prevent this form of attack, but it would minimize damage.
If a session token were compromised, we could invalidate it, and MFA would stop the malware from refreshing tokens.
That was the trigger that made me decide to do this. But there are other threat models that warrant MFA anyway and I will admit, not having it for as long as it was was irresponsible.
MFA also makes alt account botting infeasible. We have already had this issue before.
Another thing MFA protects against is low skill phishing.
I’m not going to enforce passkeys but I do recommend them to avoid high skill phishing. I don’t have reason to believe Eroscripts would be a target for reverse proxy phishing but that is an attack vector we are vulnerable to without passkey enforcement.
I don’t appreciate users making accusatory statements that are demonstrably false and making points that have already been answered for. I don’t like making it a habit to type the same thing 100 times. The information is already out there. People need to take responsibility for themselves and read what is already out there.
If there is NEW concerns I’m happy to investigate, resolve, answer for, etc.