Everyone can be an attack vector. There are other measures being used already to prevent bad actors from creating alts and doing this like users get flagged to us when multiple users share an IP. I have mass deleted users before for having clear alt-behavior.
In fact, MFA makes making alts harder. There’s a much larger friction to tracking all the MFA’s for every alt. So MFA actually helps mitigate the threatmodel here.
Are you going to maintain that list? Even if you did, discourse doesn’t support that featureset. You can request that of the devs over at meta.discourse.org
You should be using 2FA everywhere importance of an account doesn’t matter. By leaving your account potentially open to phishing, credential stuffing, etc. you become an attack vector for the community, you can doxx your internal accounts info. It’s generally unsafe and it’s better to eliminate that vector.
This is unfortunately just a reason. Not a good one. There’s a lot of things that create negative experiences for users that are positive changes. You can’t please everyone. There’s always a calculation behind certain decisions. I have enough experience in the cyber industry to know I was being irresponsible for not enforcing this earlier.
Whether you like it or not, this enforcement makes the forum safer for everyone
The people yelling about privacy don’t understand how MFA works. Using MFA doesn’t compromise your privacy in the regular ways nor the “enhanced” private ways.
The nature of MFA is to be as private as possible by necessity (It’s literally a secrets management problem)
I’m not sorry for trying to keep everyone safe. I’ve even taken responsibility for other’s ignorance and made countless attempts to educate and calm people’s concerns.
I hosted a stream on discord to educate via QnA and 3 people showed up.
You’re a vocal minority and I’m still trying to help educate and you so you understand.
Both you and I will never truly understand the number of threats possible due to account hijacking. We’ve only started the threatmodeling process. My experience knows that there are many threatmodels that necessitate MFA everywhere.
I'll give you a bonus fact about security and privacy if you want to read it.
While the forum doesn’t (currently) support single sign on. It’s actually advisable that you use a second anonymous SSO (not google) to authenticate to multiple services privately. Using oauth/oidc which would inherit your MFA with JWT cryptography is far more private and secure than using anonymous emails. I know because I have performed OSINT/recon/credential stuffing/phishing and gained more information on non-sso accounts due to the lacking security. It’s much harder to get a JWT token than just logging in without MFA.