We don't need both passwords and Email/Phone verification.
We don't need both passwords and Email/Phone verification.
Either make me create a password and then let me into my account or let me use my phone number/email to verify. It's becoming too much to get into every day stuff. If I have biometrics on there is zero reason for anything else.
Basically the current security system is overdoing it. I suggest getting rid of passwords all together OR only requiring one or the other. Like it I forget my password or I forget my phone I can use the other but JFC its a hassle.
What's the difference between an unpopular opinion and a wrong opinion?
Without MFA, hundreds of thousands more accounts if not millions would be completely compromised. That is just a fact because most people choose horrible and/or completely the same password for everything. Bank account details, credit card info, social security or government ID numbers, etc...
It doesn't have to be as bad as email or SMS. TOTP has been a standard for a very long time and there are a dozen apps for it. Simply enter the app, copy the code, done. SMS and email are less secure anyways.
American companies seem particularly allergic to TOTP for some reason...
I look at it more like, if you are going to require MFA, why require passwords as part of login?
Multi Factor Authentication (MFA) : using multiple authentication factors to validate a user is who they say they are and grant access
Auth factors:
Something you know: is in your head. Password, PIN, etc
Something you have: credit card, hardware token (yubikey, mag stripe, etc), software token (auth, MS authenticator, etc)
Something you are: biometrics.
Somewhere you are: location based (IP, geo location, geo fence, etc)
Any one method is vulnerable to compromise. By using two separate FACTORS (aka MFA) you vastly reduce risk that you will be compromised.
Using a password and PIN is NOT MFA because they're both the same auth factor.
Using just a token is NOT MFA because it's only one auth factor.
Because that's an authentication factor?