> the simple MFA story invites blaming people (invariably called 'users' when doing this)
It's littered with this stuff, but here's one example of silliness. People aren't called users when blaming people. They're called users because they use the software. There's no need to invent perjoratives to make interesting a simple article that restates a known problem. Just state it simply. Or better - get to the point of realising the root problem of this problem, which is also known, and suggest something novel in that regard.
I have TOTP basically everywhere. The one place I didn’t have it and specifically didn’t want it was Gmail.
My password is over thirty characters long and I know it by heart. I really need access to my gmail even if I break my phone, and that happens every couple years. Usually it falls off my nightstand and I step on it getting out of bed. I also don’t like carrying my phone everywhere. I do now, because I have to, but I shouldn’t have to.
Being able to be at a friends house and just check my email on his laptop without carrying a special device seems beyond reasonable.
Anyway Google forced me to enable it because I publish a Chrome Extension and I’m still salty about it.
I have the same reservation about 2FA on Gmail, but an account takeover would be too devastating to me not to have it. My middle-ground is having multiple printouts of the 8 "backup codes" that can be used if my phone breaks. I suppose connecting some yubikeys to it and having those scattered around my home/backpack/car would also be a good additional backup as well.
Is it possible to create a second Google account to use just for the Chrome Extension?
I've heard that Google will sometimes demand you login from a known device anyway regardless of settings as a form of unexpected 2FA although I haven't experienced it myself.
TOTP is not 2FA though (depending on how you define 2FA). Something you know, something you have, something you are. TOTP is a seed that you know. Together with your password which is also something that you know, you have one factor.
Also, if your password is 30 characters long, it sounds like you're using a single password for all of your services. Don't do that; you are 100% fucked if any one service you use gets compromised.
The secret is literally transferred when you first set it up encoded in plaintext in a QR code, and then again, as I expect most here use a service like Authy. Unless you're using a device that already implements true 2FA like a Yubikey, it is generally trivial to pull out the seed (e.g., Google Authenticator app).
It's always good to have a backup email account with no 2FA/geolockouts for emergency use. I keep a backup Keepass file stored in that account which contains my TOTP secrets and other passwords to bootstrap myself if the worst happens.
I just store my TOTP/MFA stuff in 1password, along with my username + password. I understand the risks here, but I prefer the tradeoffs vs. putting all my 2fa on a physical device that might get destroyed or stolen. My 1PW vault password is long and secure, and my devices are configured to require it.
My ideal future has 100% of my accounts (including bank) supporting passkeys, self-hosted bitwarden with security key for mfa (and backed up keepassxc file with copy of all passkeys and recovery codes stored encrypted in multiple places).
Then from any of my devices as long as I have my security key accessible to unlock the vault, I can log into any account using public key cryptography. To get access to the vault you need my strong password, security key, and be on a device with access to the vault or the keepass file (with a different strong password).
If I get a new phone or computer, I just need to add bitwarden and access to the network the vault is on and I will be set back up. House could burn down lose all devices including bitwarden host and the backup file would save me.
A damaged or lost 2FA device is less in the control of a cautious and competent user, relative to forgetting a password. Example: taking an Alaska Airlines flight wouldn't typically be considered an account lockout hazard, but this week it was.
> A lot of the reporting is using Alaska Airlines, because it was their flight.
I don’t disagree, it just wasn’t obvious - to me - what was being referred to originally. I think it’s because lexically/conceptually I don’t associate the issue with any particular airline, as it seems the through line is that they are specifically Boeing planes of a certain series with these issues, and not due to any particular airline or servicing or lack thereof, but rather, a defect in the original design as specified and/or a flaw or oversight in production. Considering the frequency and impact of the issues, I’m inclined to believe it’s a bit of both.
I heard from some sites long ago that users with 2FA are enthusiast, and disable account recover to prevent social engineering attacks for people who care about security. Today 2FA is the new normal, often mandated by organization. I think it invalidate the previous believe and account recovery should be a configurable option not tied to 2FA.
I would respectfully disagree. For my Masters in Fine Arts (Creative Writing), I had to write a novel in the style of a dystopic post-modernist. And this was before ChatGPT.
It's littered with this stuff, but here's one example of silliness. People aren't called users when blaming people. They're called users because they use the software. There's no need to invent perjoratives to make interesting a simple article that restates a known problem. Just state it simply. Or better - get to the point of realising the root problem of this problem, which is also known, and suggest something novel in that regard.