When you can have Authenticator Chrome extensions [1] what is the point of 2FA? Who decided making it harder to login for an average user is worth the added security? I'm not arguing security is not improved. The question is who weighed the pros/cons of 2FA and decided the entire industry should adopt it? Can we shine some light on the orgs/individuals responsible for this.
> This article is written like a personal reflection, personal essay, or argumentative essay that states a Wikipedia editor's personal feelings or presents an original argument about a topic.
Wikipedia describes 2FA very matter of factly without any background on its history and its advocates [2].
I may have some idea about this since I was kind of around the space at the time. But to be honest I don't understand your question. Are you asking about the benefit of TOTP as an authentication mechanism when users can install insecure browser-based TOTP implementations?
As far as the history, and "who", I think this has a very long history in the "security-industrial complex", which probably means : NSA. Certainly the idea of 2FA goes back as far as smart cards (early 90s). Then came RSA SecurID which I saw as a hack to give you something similar to smart card security but without the need to roll out a PKI. TOTP seems like it is a generic version of SecurID.
I don't particularly remember any vendor agenda on all of this, more like everyone was looking to fulfill government and bank requirements for security then the techniques employed leaked out into the corporate/enterprise world, and finally (like, around today), have become mainstream in the B2C use case.
My perception has been that all of this was pretty much about "making things better" by some definition of better that depends on reasonable security for reasonable cost, in the context of typical user behavior.
This looks much more like showmanship than actually improving security. Again I'm not saying security is not improved. Now there are people who are happy they set standards for others to follow and IT managers who can show off to their bosses that they're following security standards like ISO27001 and SOC2. SOC2 standard is set by AICPA, the last A stands for Accountants. Of all people.
Certainly there's plenty of hype and herd behavior in this industry, but underlying this is a simple desire: don't allow users to give their passwords to a third party. Or rather, they can do that but the third party won't be able to authenticate because they don't have the smart card or 2FA dongle.
Often there is a requirement in commercial contracts requiring adherence to certain security standards. An example of such a contract is liability insurance.
> This article is written like a personal reflection, personal essay, or argumentative essay that states a Wikipedia editor's personal feelings or presents an original argument about a topic.
Wikipedia describes 2FA very matter of factly without any background on its history and its advocates [2].
[1] https://chrome.google.com/webstore/detail/authenticator/bhgh...
[2] https://en.wikipedia.org/wiki/Multi-factor_authentication