Hi, we’re considering using OAuth in our plugin, but then users are required to have 2FA enabled to install it. Now reconsidering… Seems adoption rates vary a lot across apps, with services like Twitter as low as 2.6%.
Is OpenAI able to share any ballpark stats on 2FA adoption so far?
Not OpenAI, but I say be the change.
Everyone should use MFA for all the things and the more people who build things and require it the better.
Also, it’s much easier to start with MFA than to deal with the backlash of the small subset of users who will resist it later.
Look. 2FA costs me ALOT of time already. I hate any app that forces me to use it. And most people think the same.
As of today, out of 129 plugins I see the following auth methods
MFA shouldn’t cost you hardly any time at all.
I used to feel the same way though when I started using MFA. The key is to find systems which work well for you.
For me, an authenticator app which pushes requests to my phone covers cases where I need to authenticate on mobile with very little delay—on the order of a few seconds each time—and I haven’t found the cumulative delay from all of the logins I do each day to be too onerous a burden.
Then for my laptops and desktop I use FIDO2 hardware authenticators which take approximately zero time to use.
You can “hate” any app that forces you to use it all you want, but most people would be much better for it if more services required MFA.
I can’t speak to what most people think, but having everyone secured behind MFA is unequivocally a public good.
So, personally, I think all online services that are used either for identity purposes or which have the potential to cost the user or the provider money if the service is misused, should require MFA.
Look. Let`s discuss that on multiple levels:
First, I often have to stop browsing the web and search my phon for some stupid website that requires me to input some number or do some other shit on the smartphone. That is what is often called 2FA.
I mean, I understand the idea and why people came up with it but I am so fed up with all this security bullshit that I choose not to investigate stuff where I can see that some other people might have had access to some of my accounts. I mean, as I have used the Internet for multiple decades now, Chrome claims you can use hundreds (!) of my accounts since the passwords have been leaked or the accounts have been hacked or whatever.
And now, with the advent of even more tech bullshit like Generative AI it will be super easy to impersonate me in any conceivable way anyway. This security race is lost. if Quantum Computing takes off, and it will eventually, all of our “legacy” encryption will break down. So … to summarize: We are all fucked, anyway. In so many different ways that I stopped counting and wondering.
I try to secure my most important assets and the rest can go to hell anyway.
If you’re not on your phone, as I said, use a hardware key.
Takes zero time.
Username, password, enter. Press hardware key. Done.
Multi-factor authentication benefits more than just the user of said authentication.
Not using MFA, when it is available, is just irresponsible.
Hey elmstedt,
I take it you have the best intentions, but you really fail to grasp what this is about. You seem to think that we as in the more than 90% need education and if we were educated we would see the world in the same way and have the same preferences and therefore would commit to MFA.
That just tells me that you do not understand our / my viewpoint. I do not lack education or knowledge to implement solutions such as those you are mentioning. I do not want them. Like, I as a free human being do not WANT them. I really hope you get me know.
Else I will try to pitch you eating more green leaves or carrots or whatever some other self-proclaimed guru wants to sell to anyone. Surely enough I can and have been trained to press all sorts of buttons and am humiliated by tech all day and night to do things in exactly the way a developer / big corporations intended. Doesn‘t make me like them one bit … and since all security is flawed (see above) I do not see why I should waste my time with it.
I do not.
Don’t care.
The fact perfect security does not exist does not render all security worthless.
Every so often people need to be dragged, kicking and screaming down the path of improved security. There’s a reason why no major, mainstream website will let you choose “password” as your password. MFA is simply the next step in that evolution.
All for 2FA! Twitter is a bad example to compare with.
Oauth plugins seem underrepresented. We’ve submitted ours for review but I guess it takes longer because Oauth plugins are more complicated to test.
However, in my opinion, Oauth is much more secure, especially if the application requires access to sensitive data.
We’re really opening pandoras box by creating OpenAPIs with no authentication needed.
That just tells me that you do not understand our / my viewpoint.
Not all viewpoints are equal, or deserve attention or understanding. There’s entire groups of racists, sexists, etc out there.
Do you lock your front door? Why? According to reports, robbers are breaking into houses all the time. It’s inconvenient to get keys out of your pocket all the time. What if you’re BUSTING to go to the toilet!
TL;DR - no one failed to grasp your viewpoint, they just failed to care.
@blake386 Great thread.
I think it’s great to be able to login to a service with 0Auth, and the argument for 2FA or MFA depends on a few factors (with no right answer as it depends on the trade-offs of convenience versus the importance of the account/service). Besides personal preferences such as the convenience factor but more importantly, whether the underlying accounts/service is sensitive in terms of the information it protects, whether privacy related or for financial accounts where there is risk of financial fraud, for example.
Ideally, users should expect to go to greater lengths to secure their financial accounts and emails/social media, compared to securing an account for some services that don’t have any important data or credit card details on file, etc… (i.e. some sites for checking the weather, where you can get away with a weaker password that you only use on that site and 2FA could push users away and appear to be overkill).
Conversely, some people want 256-bit security everywhere and as a result have longer more complex passwords that are hard to remember and must be stored centrally in a password manager (where the security is mitigated to how secure their master password is for the manager).
So the UI/UX challenge is a trade-off between those extremes, password responsibility best practices still haven’t been fully adopted by consumers because they can click reset on most services because they are using cryptography implicitly and relying on the service provider to maintain secrets (so it’s a convenience factor).
For comparison, using cryptography explicitly by generating their own private keys and secrets in a secure manner like hardcore crypto folks do, in addition to using devices for MFA, will be more and more commonplace in the future, and as cybersecurity converges more with AI, it will force consumers to stop delegating their security responsibility and they will be more self-sovereign in that regard (especially as service force them to in order to combat fake accounts, bots and scammers).
I’m all for the extra security steps, but sometimes companies make you jump through hoops yet that doesn’t mean their service and your accounts are secure, so implementation matters too (i.e. 2FA can be faulty if user is SIM-swap attacked, versus device level verification which is more secure but you must backup device secrets in the event of device loss). So overall, the context matters immensely but as deepfakes get harder to distinguish from reality, explicit crypto and extra measures everywhere will be the norm in the future.