I think this article conflates two very different motivations for using 2FA:
1) An organization has valuable resources it wishes to protect and secure from understandable but avoidable user mistakes, like phishing. For example: an employer. Notably, in most of these cases there’s an authority to which the user can appeal to recover account access if 2FA access is lost. It makes sense to be more strict.
2) A user wants to protect something they value, but the provider loses nothing if the user’s account is compromised through user error. For example: personal email. In this case the onus is on the user to ensure they don’t lose access, and the provider may be unwilling or unable to accept the liability of enabling account recovery.
The threat models for the two are very different, and in the second case, it’s in the user’s best interest to favor availability of access over all else.
I secure my email with TOTP. I have the key stored in 1Password. In all cases 1Password (native app, not web version) is compromised, I’ve lost the battle already. However, I’m not worth burning a zero day on or otherwise targeting specifically. I also have backup codes saved in my personal disk backups. Anyone willing to break into my house to get them could just threaten me more easily.
Be very aware why you’re offering 2FA to your users. Are you 1, or 2?
1) An organization has valuable resources it wishes to protect and secure from understandable but avoidable user mistakes, like phishing. For example: an employer. Notably, in most of these cases there’s an authority to which the user can appeal to recover account access if 2FA access is lost. It makes sense to be more strict.
2) A user wants to protect something they value, but the provider loses nothing if the user’s account is compromised through user error. For example: personal email. In this case the onus is on the user to ensure they don’t lose access, and the provider may be unwilling or unable to accept the liability of enabling account recovery.
The threat models for the two are very different, and in the second case, it’s in the user’s best interest to favor availability of access over all else.
I secure my email with TOTP. I have the key stored in 1Password. In all cases 1Password (native app, not web version) is compromised, I’ve lost the battle already. However, I’m not worth burning a zero day on or otherwise targeting specifically. I also have backup codes saved in my personal disk backups. Anyone willing to break into my house to get them could just threaten me more easily.
Be very aware why you’re offering 2FA to your users. Are you 1, or 2?