2FA adoption rate (OAuth plugins)

Hi, we’re considering using OAuth in our plugin, but then users are required to have 2FA enabled to install it. Now reconsidering… Seems adoption rates vary a lot across apps, with services like Twitter as low as 2.6%.

Is OpenAI able to share any ballpark stats on 2FA adoption so far?

1 Like

Not OpenAI, but I say be the change.

Everyone should use MFA for all the things and the more people who build things and require it the better.

Also, it’s much easier to start with MFA than to deal with the backlash of the small subset of users who will resist it later.

1 Like

Look. 2FA costs me ALOT of time already. I hate any app that forces me to use it. And most people think the same.


As of today, out of 129 plugins I see the following auth methods

  • 10 oauth
  • 27 bearer tokens
  • 3 basic
  • 89 None
1 Like

MFA shouldn’t cost you hardly any time at all.

I used to feel the same way though when I started using MFA. The key is to find systems which work well for you.

For me, an authenticator app which pushes requests to my phone covers cases where I need to authenticate on mobile with very little delay—on the order of a few seconds each time—and I haven’t found the cumulative delay from all of the logins I do each day to be too onerous a burden.

Then for my laptops and desktop I use FIDO2 hardware authenticators which take approximately zero time to use.

You can “hate” any app that forces you to use it all you want, but most people would be much better for it if more services required MFA.

I can’t speak to what most people think, but having everyone secured behind MFA is unequivocally a public good.

So, personally, I think all online services that are used either for identity purposes or which have the potential to cost the user or the provider money if the service is misused, should require MFA.

1 Like

Look. Let`s discuss that on multiple levels:

First, I often have to stop browsing the web and search my phon for some stupid website that requires me to input some number or do some other shit on the smartphone. That is what is often called 2FA.

I mean, I understand the idea and why people came up with it but I am so fed up with all this security bullshit that I choose not to investigate stuff where I can see that some other people might have had access to some of my accounts. I mean, as I have used the Internet for multiple decades now, Chrome claims you can use hundreds (!) of my accounts since the passwords have been leaked or the accounts have been hacked or whatever.

And now, with the advent of even more tech bullshit like Generative AI it will be super easy to impersonate me in any conceivable way anyway. This security race is lost. if Quantum Computing takes off, and it will eventually, all of our “legacy” encryption will break down. So … to summarize: We are all fucked, anyway. In so many different ways that I stopped counting and wondering.

I try to secure my most important assets and the rest can go to hell anyway.

1 Like

If you’re not on your phone, as I said, use a hardware key.

Takes zero time.

Username, password, enter. Press hardware key. Done.

Multi-factor authentication benefits more than just the user of said authentication.

Not using MFA, when it is available, is just irresponsible.

1 Like

Hey elmstedt,

I take it you have the best intentions, but you really fail to grasp what this is about. You seem to think that we as in the more than 90% need education and if we were educated we would see the world in the same way and have the same preferences and therefore would commit to MFA.

That just tells me that you do not understand our / my viewpoint. I do not lack education or knowledge to implement solutions such as those you are mentioning. I do not want them. Like, I as a free human being do not WANT them. I really hope you get me know.

Else I will try to pitch you eating more green leaves or carrots or whatever some other self-proclaimed guru wants to sell to anyone. Surely enough I can and have been trained to press all sorts of buttons and am humiliated by tech all day and night to do things in exactly the way a developer / big corporations intended. Doesn‘t make me like them one bit … and since all security is flawed (see above) I do not see why I should waste my time with it.

1 Like

I do not.

Don’t care.

The fact perfect security does not exist does not render all security worthless.

Every so often people need to be dragged, kicking and screaming down the path of improved security. There’s a reason why no major, mainstream website will let you choose “password” as your password. MFA is simply the next step in that evolution.

1 Like

All for 2FA! Twitter is a bad example to compare with.


Oauth plugins seem underrepresented. We’ve submitted ours for review but I guess it takes longer because Oauth plugins are more complicated to test.

However, in my opinion, Oauth is much more secure, especially if the application requires access to sensitive data.

We’re really opening pandoras box by creating OpenAPIs with no authentication needed.