Hi. I just got to a discussion here in discourse.mozilla.org that I wanted to join. So I tried to login or register. I tried a passwordless login, but it didn’t work. I tried my GitHub login, but got the “you need 2FA” error. Then I tried Firefox login, and the same error showed. Then I tried Google login, and got “you have to use your most secure login, which is Firefox login” or something like that. I happen to manage my whole life without 2FA and everything runs smoothly. And then I am forced by an entity that says it’s “open” etc to start using a security measure I simply don’t want. Why? Because given the right “persuasion” upon theft of your device, the possession of it allows aggressors to make more damage and have more control of your accounts then they would if I could just reset my passwords using a secretly known second e-mail, for instance. Sure, these are two approaches, each of them with its own risks. But that’s exactly the point: it’s up to the user to choose which risks one’s willing to take and which ones not, right? This login system is the most aggressive I have ever seen anywhere online, even considering non-democratic countries! A “dictatorship of [insert any value you consider the most important in life]” is still a dictatorship, ok?
But did I say I don’t want to use 2FA? Let’s switch from “don’t want” to “can’t”. To use 2FA, one could be forced to spend a lot of money buying a device that one really shouldn’t be forced to buy. Do not forget you are not setting up a login for users from North America and Europe only. We’re talking about the whole world, which means a lot of people have their digital homes in public/shared computers and have access to no other electronic devices (at least not Internet connected devices).
And what is the most absurd of it all, to discuss anything regarding IAM system, you first have to successfully login using IAM itself. Cool, right?
No. Not cool. I eventually got in through a temporary e-mail by passwordless login. Does this sound any right?
So sure, 2FA can sound amazing for some. But change socio-economic (including urban violence) reality and you may switch your side on this matter. And even if you don’t, and even if I am completely wrong, I still shouldn’t be forced to adopt something (that only affects my security).
(BTW, Mozilla accepts my 1FA to store and sync a lot of sensitive info, like browsing history, open tabs, bookmarks etc. but does not accept the same security level for discussing in a forum? This is really, really bad decision making…)