Would you rather I enforce passkeys? That would go over even worse than this already is. I made a judgement call for the safety of the community. The alternative is leaving everything vulnerable. So what is it. Passkeys, MFA or vulnerable? I think I made a fair decision.
If they need an account it’s not impulsive. They signed up and joined the community. That friction is there by design. MFA doesn’t add that much friction. People who are vocally anti-MFA are lazy or ignorant, or both.
This point is frankly a distraction. The TOTP URI isn’t even something visible to anyone besides the client. It’s metadata that is supposed to enforce the TOTP algorithm and control input. The domain isn’t really a privacy thing.
All of it.
There are many parts of different MFA implementations that resolve MFA fatigue. For ex. Push notification auth used to only require hitting an approval button. Because of MFA fatigue that has changed to requiring entering a number displayed on the web page.
MFA is designed to be convenient. It’s specifically designed to make the authentication process smooth for people who have MFA and make it very difficult for people who are phishing or credential stuffing, etc. It’s actually trying to add friction to just the people who ARE the problem.
I actually don’t think that many people will give up and leave. For a bunch of reasons I think most people will make the account anyway.
I’m not going to address a strawman. Instead I will display the actual quote below:
A few people have compared this enforcement to the discord ID verification, they’ve claimed MFA is not private, they’re said MFA is unnecessary. If you’re mistaken on how something works, that is the definition of ignorance.
I am enforcing it because people wouldn’t use it otherwise. This is a threat because the community trusts each other. I don’t want hackers to abuse that trust by hacking an account and distributing malware. There are other threats but this is the threatmodel I care about right now.
I said this already but it appears that was ignored.
Ok. I’m going to make people upset when I say this. In current year. If you don’t have MFA on all your accounts. You’re behind the curve by a decade. You’re basically a caveman. MFA is a standard for everything. Not having MFA on every single account you have is unacceptable in the modern day. It’s easy as hell to use, and your resistance to it is stupid.
The reason I say this is behind is because we are approaching an industry where passkeys are quickly becoming the new standard. Some places are enforcing passkeys because advanced attacks are becoming more common (namely Reverse Proxy Phishing). If you’re not using MFA everwhere in current year, you’re ina scary situation.
Somethings jump priority because I miscalculated their importance earlier. I feel that’s obvious and shouldn’t have to explain that.
MFA is happening. I’m not answering anything more in this thread. If you have more questions DM me.
