This is a misunderstanding. You can’t possibly know if there’s been a benefit, because you wouldn’t know unless your account was compromised. The mere presence of 2fa on an account will stop credential stuffing attacks dead in their tracks.
It’s like saying “this lock on my door is pointless because nobody has broken into my house”.
No it would be more like having the key to my house, but after I use the key I can’t get in and have to wait for a text and verification email before my door opens
The clunky user experience in the analogy isn’t wrong but is focused on the wrong thing, having locks is already an annoying user experience.
Having to carry keys everywhere and juggle shopping when opening my door sucks. It would suck more if someone entered my house and stole my stuff so I accept the trade off.
It’s the same with MFA. We all accept a worse user experience for significantly improved security.
More like using a key that hasn’t been used in I over 30 days and needing to wait on a text/email.
Also text or email is a bad second factor and an implementation problem. TOTP is better. Passkeys way better and are so simple once you start using them.
Their analogy is from the perspective of an authorized user complaining about inconvenience, completely ignoring the things I was addressing (their statement that 2fa provides no benefit)
they said it provides no benefit to them…
and i get it - for some things, maybe you don’t need “all the security” … just “enough” of it.
for example; i might not need any lock on my laundry room door, i might choose a privacy lock on my toilet room door (no key required to unlock), but i will fit an additional a deadlock on the front door. each has a level of security that i deem to be appropriate.
they asserted their opinion about MFA as it pertained to them, not in general.
I’m not talking about appropriate security posture for a given individual though. I’m speaking specifically to their claim that it has provided “no benefit”, and that is a claim they cannot even prove. Whether the benefit is negligible, because the account(s) are unimportant to them, or massive, because they are dealing with financial institutions, is completely irrelevant to the veracity of the statement.
I find this line of argument especially ridiculous considering that they are apparently using MFA enough for it to be worth commenting about the nuisance. So either they are using it a lot, in many places, and definitely can’t back up a “no benefit” claim, or they’re using it very little and/or only for unimportant accounts, at which point their claim is saber rattling at best, and misleading to others at worst.
A minor annoyance now to avoid a major headache later. Worth the trade
It’s been nothing but a headache for me with no benefit
This is a misunderstanding. You can’t possibly know if there’s been a benefit, because you wouldn’t know unless your account was compromised. The mere presence of 2fa on an account will stop credential stuffing attacks dead in their tracks.
It’s like saying “this lock on my door is pointless because nobody has broken into my house”.
No it would be more like having the key to my house, but after I use the key I can’t get in and have to wait for a text and verification email before my door opens
The clunky user experience in the analogy isn’t wrong but is focused on the wrong thing, having locks is already an annoying user experience.
Having to carry keys everywhere and juggle shopping when opening my door sucks. It would suck more if someone entered my house and stole my stuff so I accept the trade off.
It’s the same with MFA. We all accept a worse user experience for significantly improved security.
More like using a key that hasn’t been used in I over 30 days and needing to wait on a text/email.
Also text or email is a bad second factor and an implementation problem. TOTP is better. Passkeys way better and are so simple once you start using them.
Ok. Why don’t you try explaining how digital security works to the security professional some more. I’m sure you’ll convince me real soon 😜
I’m a security professional also, i don’t see the issue with their analogy?
And I’m the queen of France.
exactly :)
Their analogy is from the perspective of an authorized user complaining about inconvenience, completely ignoring the things I was addressing (their statement that 2fa provides no benefit)
they said it provides no benefit to them… and i get it - for some things, maybe you don’t need “all the security” … just “enough” of it. for example; i might not need any lock on my laundry room door, i might choose a privacy lock on my toilet room door (no key required to unlock), but i will fit an additional a deadlock on the front door. each has a level of security that i deem to be appropriate. they asserted their opinion about MFA as it pertained to them, not in general.
I’m not talking about appropriate security posture for a given individual though. I’m speaking specifically to their claim that it has provided “no benefit”, and that is a claim they cannot even prove. Whether the benefit is negligible, because the account(s) are unimportant to them, or massive, because they are dealing with financial institutions, is completely irrelevant to the veracity of the statement.
I find this line of argument especially ridiculous considering that they are apparently using MFA enough for it to be worth commenting about the nuisance. So either they are using it a lot, in many places, and definitely can’t back up a “no benefit” claim, or they’re using it very little and/or only for unimportant accounts, at which point their claim is saber rattling at best, and misleading to others at worst.