Hi, we’re considering using OAuth in our plugin, but then users are required to have 2FA enabled to install it. Now reconsidering… Seems adoption rates vary a lot across apps, with services like Twitter as low as 2.6%.
Is OpenAI able to share any ballpark stats on 2FA adoption so far?
Look. 2FA costs me ALOT of time already. I hate any app that forces me to use it. And most people think the same.
As of today, out of 129 plugins I see the following auth methods
Look. Let`s discuss that on multiple levels:
First, I often have to stop browsing the web and search my phon for some stupid website that requires me to input some number or do some other shit on the smartphone. That is what is often called 2FA.
I mean, I understand the idea and why people came up with it but I am so fed up with all this security bullshit that I choose not to investigate stuff where I can see that some other people might have had access to some of my accounts. I mean, as I have used the Internet for multiple decades now, Chrome claims you can use hundreds (!) of my accounts since the passwords have been leaked or the accounts have been hacked or whatever.
And now, with the advent of even more tech bullshit like Generative AI it will be super easy to impersonate me in any conceivable way anyway. This security race is lost. if Quantum Computing takes off, and it will eventually, all of our “legacy” encryption will break down. So … to summarize: We are all fucked, anyway. In so many different ways that I stopped counting and wondering.
I try to secure my most important assets and the rest can go to hell anyway.
Hey elmstedt,
I take it you have the best intentions, but you really fail to grasp what this is about. You seem to think that we as in the more than 90% need education and if we were educated we would see the world in the same way and have the same preferences and therefore would commit to MFA.
That just tells me that you do not understand our / my viewpoint. I do not lack education or knowledge to implement solutions such as those you are mentioning. I do not want them. Like, I as a free human being do not WANT them. I really hope you get me know.
Else I will try to pitch you eating more green leaves or carrots or whatever some other self-proclaimed guru wants to sell to anyone. Surely enough I can and have been trained to press all sorts of buttons and am humiliated by tech all day and night to do things in exactly the way a developer / big corporations intended. Doesn‘t make me like them one bit … and since all security is flawed (see above) I do not see why I should waste my time with it.
All for 2FA! Twitter is a bad example to compare with.
Oauth plugins seem underrepresented. We’ve submitted ours for review but I guess it takes longer because Oauth plugins are more complicated to test.
However, in my opinion, Oauth is much more secure, especially if the application requires access to sensitive data.
We’re really opening pandoras box by creating OpenAPIs with no authentication needed.
That just tells me that you do not understand our / my viewpoint.
Not all viewpoints are equal, or deserve attention or understanding. There’s entire groups of racists, sexists, etc out there.
Do you lock your front door? Why? According to reports, robbers are breaking into houses all the time. It’s inconvenient to get keys out of your pocket all the time. What if you’re BUSTING to go to the toilet!
TL;DR - no one failed to grasp your viewpoint, they just failed to care.
@blake386 Great thread.
I think it’s great to be able to login to a service with 0Auth, and the argument for 2FA or MFA depends on a few factors (with no right answer as it depends on the trade-offs of convenience versus the importance of the account/service). Besides personal preferences such as the convenience factor but more importantly, whether the underlying accounts/service is sensitive in terms of the information it protects, whether privacy related or for financial accounts where there is risk of financial fraud, for example.
Ideally, users should expect to go to greater lengths to secure their financial accounts and emails/social media, compared to securing an account for some services that don’t have any important data or credit card details on file, etc… (i.e. some sites for checking the weather, where you can get away with a weaker password that you only use on that site and 2FA could push users away and appear to be overkill).
Conversely, some people want 256-bit security everywhere and as a result have longer more complex passwords that are hard to remember and must be stored centrally in a password manager (where the security is mitigated to how secure their master password is for the manager).
So the UI/UX challenge is a trade-off between those extremes, password responsibility best practices still haven’t been fully adopted by consumers because they can click reset on most services because they are using cryptography implicitly and relying on the service provider to maintain secrets (so it’s a convenience factor).
For comparison, using cryptography explicitly by generating their own private keys and secrets in a secure manner like hardcore crypto folks do, in addition to using devices for MFA, will be more and more commonplace in the future, and as cybersecurity converges more with AI, it will force consumers to stop delegating their security responsibility and they will be more self-sovereign in that regard (especially as service force them to in order to combat fake accounts, bots and scammers).
I’m all for the extra security steps, but sometimes companies make you jump through hoops yet that doesn’t mean their service and your accounts are secure, so implementation matters too (i.e. 2FA can be faulty if user is SIM-swap attacked, versus device level verification which is more secure but you must backup device secrets in the event of device loss). So overall, the context matters immensely but as deepfakes get harder to distinguish from reality, explicit crypto and extra measures everywhere will be the norm in the future.