Well, I guess this is the good kick in the pants I needed to just move all my Gitlab and Github repos over to sourcehut or something. Probably just get rid of some of them. IDK.
Well, I guess this is the good kick in the pants I needed to just move all my Gitlab and Github repos over to sourcehut or something. Probably just get rid of some of them. IDK.
Doesn't processing MFA resets for anonymous accounts (i.e. not banks) erode the purpose of MFA? If someone can just social engineer a support team into removing your authenticator, there's really...
Doesn't processing MFA resets for anonymous accounts (i.e. not banks) erode the purpose of MFA? If someone can just social engineer a support team into removing your authenticator, there's really very little purpose to MFA.
I save my recovery keys in a safe and use authy as my authenticator (which has e2e encrypted sync between devices), and am not at all concerned about this change.
I think it's fair to keep resets for paid accounts because (1) they're paying for it, and (2) you can verify ownership using your payment details to authorize a $1 hold or something similar. Free accounts have no such authentication method.
Hm, this is a good point. I think I was misunderstanding MFA resets as MFA authentication -- I don't need to reset my thing too much. Still need to move most things over though, just for my own...
Hm, this is a good point. I think I was misunderstanding MFA resets as MFA authentication -- I don't need to reset my thing too much.
Still need to move most things over though, just for my own sanity.
Well, I guess this is the good kick in the pants I needed to just move all my Gitlab and Github repos over to sourcehut or something. Probably just get rid of some of them. IDK.
Doesn't processing MFA resets for anonymous accounts (i.e. not banks) erode the purpose of MFA? If someone can just social engineer a support team into removing your authenticator, there's really very little purpose to MFA.
I save my recovery keys in a safe and use authy as my authenticator (which has e2e encrypted sync between devices), and am not at all concerned about this change.
I think it's fair to keep resets for paid accounts because (1) they're paying for it, and (2) you can verify ownership using your payment details to authorize a $1 hold or something similar. Free accounts have no such authentication method.
Hm, this is a good point. I think I was misunderstanding MFA resets as MFA authentication -- I don't need to reset my thing too much.
Still need to move most things over though, just for my own sanity.