Nostr Web Client

I had 2FA on phone long before they enforced it. US government already has acces to ,y stuff since it's Microsoft. So don't care about NSA backdoor in the 2FA app.

waxwing 2y ago

Yeah I'm less concerned about the NSA type threat (if they want to "do" my github account I'm sure they can), more the "uh oh because of a bug in the auth protocol or the auth app, hackers can take over accounts" or something like that.

I mean, it is *2* FA, not 1 FA, so in theory it's not that simple, I'm just thinking in very vague terms about "central points of failure" and also "complexity is the enemy of security" (people end up often looking for shortcuts if you make security policies really burdensome).

Reply to this note

Please Login to reply.

Discussion

Sjors Provoost 2y ago

Maybe yes. Though I think on Github you don't reach the 2FA step before either passing the password check or resetting the password.

takinbrrrr 2y ago

In deed. Those shortcuts include storing your password and 2FA TOTP in the same place. Ideally you shouldn’t but I think the real benefit of 2FA is to prevent account compromise due to password reuse.