[kwlug-disc] 2FA Google Authentication and Best Practices with passwords
Chris Frey
cdfrey at foursquare.net
Sun Feb 6 15:20:46 EST 2022
On Sun, Feb 06, 2022 at 05:47:14AM -0500, Chris Irwin via kwlug-disc wrote:
> U2F/Yubikeys > TOTP > Email > App-based > SMS
I like this hierarchy. Nicely defined.
I might swap Email and app-based, but it's a tough call. With app,
you get to avoid one point of failure, namely your own DNS and mail
server. Unfortunately, "app" is normally considered a phone thing,
as I understand it, which removes control from the user. A bit of
a toss-up.
SMS is so far down the 'secure' list that it shouldn't even be on it,
in my opinion. The sooner it goes away as an embarrassingly bad idea
the better.
The tricky things to consider are how to recover an account when the
second factor fails. How do you recover your account if you lose
your Yubikey, or if your domain name is hijacked, or your phone
is lost, or SIM card is cloned, etc. The fewer things that are outside
of your direct control, the easier to fix, in my opinion. The cell
phone company and gmail are giant pieces outside of one's direct control.
- Chris
More information about the kwlug-disc
mailing list