
Guide to User Data Security (updated) - brokenwren
https://fusionauth.io/resources/guide-to-user-data-security
======
brokenwren
I'm the author of the guide (and did this recent update to it), so feel free
to ask me any questions you might have. Comments or corrections also welcome.

------
mooreds
This renders really weird on FF on windows. Lots of long images. (Yes, some
people still use FF and Windows.)

Liked the references section, and appreciated some of the finder details (the
origin check, for example).

------
robotdan
What do you think about MFA, password-less SMS or email based login. It seems
there are a lot of varying opions on the topic.

This could be an additional topic to add to your guide. Thanks.

~~~
brokenwren
That is something I didn't get a chance to add to the guide this time. I'm
going to be adding more information to the guide later this year or next.

Passwordless login is an interesting topic and it seems like other companies
are pushing it hard. When it is done via an app on your phone, it appears to
be more secure than via SMS. Similarly, email based login is only as secure as
someone's email. Both of these methods of authentication rely on third-parties
to implement the security well, which is not always the case.

As for MFA, both SMS and code based MFA are good solutions. SMS is a little
less secure because phones can be cloned. The new Webauthn specification looks
interesting and hopefully that will improve web based authentication
considerably. Finally, the best solution currently still seems to be MFA
devices like USB sticks.

The main issue with MFA is that it can be cumbersome for users to setup. The
simplest version is SMS, which requires very little knowledge to setup
correctly. However, this is also the least secure.

Always tradeoffs with security unfortunately.

