“yes give us your bank details we promise its safe and won’t take any money” - bad
“yes give us your passwords we promise its safe and won’t use the information” - good
I just fail to see the difference, how giving my pw anywhere besides the website is a good idea
Is it possible to have a simple TLDR style post pinned and/or written at the top and/or bottom of this thread explaining what MFA is. Without going into detail. And also explaining why it does not invade on privacy?
That is the most common misunderstanding and this thread is not one that everyone is going to read from start to finish.
And I really mean to keep it a simple and understandable explanation.
Okay. So when I said someone falling for malware wouldn’t be saved by having passkeys enabled, the correction was that passkeys aren’t what’s being enforced. Fine. But then the very next response is that actually passkeys would save them. You can’t correct me for talking about passkeys and then immediately use passkeys as the justification for the policy. If there’s this much confusion about what’s actually being enforced and why, in a thread full of people trying to understand it, that’s not users being obtuse.
That was slightly imprecise. Anonymous here doesn’t mean without an account, it means pseudonymous and unlinked to anything real.
Not everyone is going to know to manually enter the key instead of scanning the QR code. Not everyone is going to watch a video to find out how to remove metadata. Some people are just going to do what’s in front of them, and on a site where anonymity is the whole point, that’s a problem that mandatory enforcement created.
Which part is objectively false? If it’s the friction point, that’s demonstrably true. Two people have already asked to have their accounts deleted before enforcement has even started. Multiple others have complained about being forced to comply with something they don’t understand or being locked out of sites by MFA before. That’s not a hypothetical.
If it’s the part about not being able to protect someone from their own mistakes with a login screen, I’d genuinely like to know how MFA stops someone from being talked into handing over access, or from approving a prompt they shouldn’t, or from downloading malware because they trusted the source. MFA fatigue attacks exist precisely because people can be manipulated into approving authentication requests. “This is my day job” should mean you know that. So what specifically was false, and how does a login requirement fix the human judgment problem you described when you said anyone could have fallen for it?
For a lot of users on a site like this, the threat model doesn’t really apply either. If someone got into their account there’s nothing to find. Mandatory enforcement for every single user regardless of their situation isn’t proportionate.
The attack that triggered all of this was malware stealing active session tokens on a compromised device, not a login credential issue. MFA doesn’t reliably prevent that, as far as I understand, and the technical debates that followed complicated that position more than resolved it.
Knowing how to build these systems doesn’t mean you know what’s right for the people using them. The companies you build authentication systems for presumably have IT departments, security training, onboarding processes. Their employees are expected to know this stuff as part of their job. The people on this site are here to look at porn. Those are not the same audience and they shouldn’t be treated the same way. I’ve been on the other side of this. I worked at a bank and went through formal MFA training there. It wasn’t just “here’s how to set it up.” It was extensive. Social engineering awareness, how to spot manipulation attempts, what to do if something feels off. MFA at login is only one piece of the problem, and the people implementing it knew that. The technical side and the human education side have to come together or the technical side doesn’t do what you think it does. What’s being rolled out here is one without the other.
Forcing someone to use MFA doesn’t make them more security conscious, it just adds a step:
That’s exactly what happens when you enforce a tool without educating people on why it exists. Nobody coming here to find a script to get off to is going to start caring about internet security because you made MFA mandatory. They’re going to do the minimum, not understand why, and go back to making the same decisions they always made. Or they’re going to leave.
That concern is completely understandable. Someone on a porn site is being told they need to install additional software and hand it their credentials, because of a policy they didn’t ask for and don’t fully understand. The response they got was exasperation, and then a list of even more software to download with no explanation of what any of it is or why they should trust it. This is the curse of knowledge. When you spend years building these systems, being paranoid about keepass probably seems absurd. But from the outside, it’s a rational response from someone who has no reason to trust yet another piece of software they’ve never heard of. These are your users, not IT employees. A Discord seminar on passkey protocols is not going to bridge that gap.
So if someone disagrees they’re ignorant, and if they’re ignorant they’re being obtuse. That’s a closed loop where disagreement itself becomes evidence of ignorance. But who in this thread was actually vocally against MFA?
What I mostly see in this thread is people questioning mandatory enforcement, not MFA itself. Calling those the same thing makes it a lot easier to dismiss concerns without engaging with them.
Saying something has been addressed doesn’t make it addressed. Pointing to Chrome Authenticator and saying “you don’t need another device” is addressing a different concern entirely. The actual question is whether mandatory enforcement is worth the cost to signups, to casual users, to people who came here for low friction browsing and are now being told to set up authentication systems they don’t understand before they’ve even seen what the site has to offer. These aren’t people who signed up to learn about FIDO2 credentials. “It’s minimal” is an assertion, not an argument. “It’s standard everywhere” doesn’t make it right for here.
This only answers why things are slow. It doesn’t answer why some things move instantly. When something touched someone close to you, time was found the same day.
If friction for the user truly matters, then the better version of this is MFA as an opt out rather than a mandate. Default it on, explain why, and let people make an informed choice to turn it off. And you could even add a small profile indicator for users who haven’t set it up, so the community can make their own judgments about who they interact with. That respects the security concern and gives people who want it a clear path to set it up, without forcing users to feel like they can’t be trusted to make the decision on their own.
I’ve said what I wanted to say and I don’t really have anything to add beyond this. I genuinely hope the enforcement decision gets some serious reconsideration, because I think a better version of this exists. And while we’re in the business of reconsidering things, maybe take another look at the tag situation too. Some changes really do cost nothing.
Would you rather I enforce passkeys? That would go over even worse than this already is. I made a judgement call for the safety of the community. The alternative is leaving everything vulnerable. So what is it. Passkeys, MFA or vulnerable? I think I made a fair decision.
If they need an account it’s not impulsive. They signed up and joined the community. That friction is there by design. MFA doesn’t add that much friction. People who are vocally anti-MFA are lazy or ignorant, or both.
This point is frankly a distraction. The TOTP URI isn’t even something visible to anyone besides the client. It’s metadata that is supposed to enforce the TOTP algorithm and control input. The domain isn’t really a privacy thing.
All of it.
There are many parts of different MFA implementations that resolve MFA fatigue. For ex. Push notification auth used to only require hitting an approval button. Because of MFA fatigue that has changed to requiring entering a number displayed on the web page.
MFA is designed to be convenient. It’s specifically designed to make the authentication process smooth for people who have MFA and make it very difficult for people who are phishing or credential stuffing, etc. It’s actually trying to add friction to just the people who ARE the problem.
I actually don’t think that many people will give up and leave. For a bunch of reasons I think most people will make the account anyway.
I’m not going to address a strawman. Instead I will display the actual quote below:
A few people have compared this enforcement to the discord ID verification, they’ve claimed MFA is not private, they’re said MFA is unnecessary. If you’re mistaken on how something works, that is the definition of ignorance.
I am enforcing it because people wouldn’t use it otherwise. This is a threat because the community trusts each other. I don’t want hackers to abuse that trust by hacking an account and distributing malware. There are other threats but this is the threatmodel I care about right now.
I said this already but it appears that was ignored.
Ok. I’m going to make people upset when I say this. In current year. If you don’t have MFA on all your accounts. You’re behind the curve by a decade. You’re basically a caveman. MFA is a standard for everything. Not having MFA on every single account you have is unacceptable in the modern day. It’s easy as hell to use, and your resistance to it is stupid.
The reason I say this is behind is because we are approaching an industry where passkeys are quickly becoming the new standard. Some places are enforcing passkeys because advanced attacks are becoming more common (namely Reverse Proxy Phishing). If you’re not using MFA everwhere in current year, you’re ina scary situation.
Somethings jump priority because I miscalculated their importance earlier. I feel that’s obvious and shouldn’t have to explain that.
MFA is happening. I’m not answering anything more in this thread. If you have more questions DM me.