New and improved two-factor lockout recovery process(githubengineering.com) |
New and improved two-factor lockout recovery process(githubengineering.com) |
Many sites don't support U2F yet, but that's improving. An alternative for Google Authenticator sites is a set of one-time codes, which can also be stored in the safe deposit box.
I don't exactly see the point of using another site as backup, since you'll want 2FA on that site as well.
Then again, GitHub isn't really targeting the vast majority, but rather developers and similar technically-literate users.
A casual users doing a bug report certainly won't care about this grade of security (and probably won't even enable 2FA).
$38 is a lot of money to a lot of people. Some people just simply don't have a safe storage space either.
In any case I'm not seeing how outsourcing the backup token to another site is much of an improvement compared to not having 2FA at all. In this case, either:
- You set up 2FA with Facebook as well, in which case you're still locked out if you lose the device, or...
- You don't set up 2FA with Facebook, and that allows someone to bypass the 2FA on Google by just guessing your passwords.
So this seems to me a very marginal benefit over just skipping 2FA in the first place. If you're not willing or able to deal with real 2FA, then why pretend? Just set up a free password manager and leave it at that.
> - You set up 2FA with Facebook as well, in which case you're still locked out if you lose the device, or...
Not necessarily. What if one was totp and one was sms? What if you forgot to setup one but not the other? Also, 2FA on Facebook is not required to use this feature. I have been in this situation before.
> - You don't set up 2FA with Facebook, and that allows someone to bypass the 2FA on Google by just guessing your passwords.
This is based on partial information, which I admit has not been well publicized. Facebook implements a time-based lockout after a password is recovered allowing a user to notice activity. It will also issue a "step up challenge" for risky users. Must be known device, known location, etc. or another factor is required to initiate recovery. Those with 2FA will answer a 2FA challenge, those without will fall back to other means or simply not be able to initiate a recovery.
> So this seems to me a very marginal benefit over just skipping 2FA in the first place. If you're not willing or able to deal with real 2FA, then why pretend? Just set up a free password manager and leave it at that.
Password manager adoption amongst the world is still terrible. This is an option that anyone can use without any additional tools or tricks.