@blake386 Great thread.
I think it’s great to be able to login to a service with 0Auth, and the argument for 2FA or MFA depends on a few factors (with no right answer as it depends on the trade-offs of convenience versus the importance of the account/service). Besides personal preferences such as the convenience factor but more importantly, whether the underlying accounts/service is sensitive in terms of the information it protects, whether privacy related or for financial accounts where there is risk of financial fraud, for example.
Ideally, users should expect to go to greater lengths to secure their financial accounts and emails/social media, compared to securing an account for some services that don’t have any important data or credit card details on file, etc… (i.e. some sites for checking the weather, where you can get away with a weaker password that you only use on that site and 2FA could push users away and appear to be overkill).
Conversely, some people want 256-bit security everywhere and as a result have longer more complex passwords that are hard to remember and must be stored centrally in a password manager (where the security is mitigated to how secure their master password is for the manager).
So the UI/UX challenge is a trade-off between those extremes, password responsibility best practices still haven’t been fully adopted by consumers because they can click reset on most services because they are using cryptography implicitly and relying on the service provider to maintain secrets (so it’s a convenience factor).
For comparison, using cryptography explicitly by generating their own private keys and secrets in a secure manner like hardcore crypto folks do, in addition to using devices for MFA, will be more and more commonplace in the future, and as cybersecurity converges more with AI, it will force consumers to stop delegating their security responsibility and they will be more self-sovereign in that regard (especially as service force them to in order to combat fake accounts, bots and scammers).
I’m all for the extra security steps, but sometimes companies make you jump through hoops yet that doesn’t mean their service and your accounts are secure, so implementation matters too (i.e. 2FA can be faulty if user is SIM-swap attacked, versus device level verification which is more secure but you must backup device secrets in the event of device loss). So overall, the context matters immensely but as deepfakes get harder to distinguish from reality, explicit crypto and extra measures everywhere will be the norm in the future.