
Ask HN: What's worse: requiring two factor authentication or being hacked? - hoodoof
Would you rather lose potential users by requiring two factor authentication, or would you rather be hacked?
======
dreamdu5t
False dichotomy. A single user account being compromised because they exposed
the password is not "hacked." Don't let users use weak passwords and have
brute-force protection. I'm curious, but did Slack lock accounts out after X
failed authentications? They didn't even reveal how they were compromised.
Warn users about the dangers of using simple passwords or sharing passwords
between services. Make 2FA the default but let users who aren't idiots opt-
out.

------
ytjohn
The question is a bit open-ended.

Basically, doing things like requiring complex passwords or 2FA prevents user
accounts from being hacked. It does nothing for remote exploits in your
application (like slack had recently). So for your end-users, there is no
major onus to force them to 2FA. You can encourage it all you want, but at the
end of a day, if an end user has their simple password brute forced, it's
fixable. If you have 100k users with brute forced passwords, you might have to
react, shut down accounts doing malicious activities, enforce complex
passwords, etc. But the PIN data and service is still fine.

Now, if we're talking employees that have access to sensitive data, then yes,
I would definitely be all about enforcing 2FA.

------
aurizon
I bought one of these $6.99 USB 2FA devices from Amazon, and use Chrome. They
sell more expensive ones. The cheap ones = fragile = take care.
[http://amzn.to/1Ml9fA3](http://amzn.to/1Ml9fA3) I tolerate the delay, because
I would rather have the delay in place of getting hacked by a sniffer some
place.

If I must use IE of FF, it defaults to a phoned number to my cell, and if that
fails, I have my printed list.

