2FA or Not 2FA
91 comments
·March 18, 2025evolve2k
autoexec
> Oh dear. The issue isn’t the brute force, it’s that the online services leak and get cracked. And in an instant a single script takes the newly discovered username password combo and starts hammering it into the top 10000 websites, all within moments of the leak data becoming available.
This is only ever a problem if your password is reused. Don't reuse passwords and if some website is hacked and they were storing your password in plaintext you just have to reset your password (the same way everyone else does, 2FA or not)
femtozer
Not sure I understand — passwords are generally hashed in databases. Even if leaked, an attacker would still need to brute-force the hash to retrieve the actual password, wouldn’t they?
evolve2k
You’d think so. But over and over plain text leaks of passwords is the practical reality of the modern internet. A disgruntled staff member, poor tech practices or someone working out a way to get in and get access.
The https://haveibeenpwned.com/ project regularly shares new breached datasets. Reusing passwords across websites without MFA is just not not not recommended in 2025.
parliament32
"Generally", sure. How do you guarantee every service you've ever signed up for uses proper salting and hashing though? All it takes is one for your entire security model to go down the drain.
ajd555
I could not agree more with this comment. OP entirely misses the point of 2FA. I sleep so much better at night knowing that I have different passwords for every account, and 2FA where possible. One should not write about 2FA when one uses the same "uncrackable" password everywhere...
autoexec
Maybe I missed it (it's early and I haven't even had coffee yet) but where did the author say they resued the same password over multiple sites?
null
gibibit
I agree with the article. Maybe businesses are trying to protect themselves, but as a user, mandatory 2FA reduces the level of security I can achieve for myself.
Because security is not just confidentiality, it's also availability: the "Security CIA Triad" is Confidentiality, Integrity, and Availability.
If I can lose access (availability) to my online account by losing some physical item (e.g. lost cell phone), or if some third party can prevent me from accessing my 2FA (e.g. banned from my email provider by DMCA takedown request), then I have my availability, and hence overall security is at risk.
Additionally, requiring a phone number for online services means that the confidentiality of my identity is reduced. It becomes impossible to be anonymous. For instance, you can't use Signal messenger without a phone number, so there's a chance your identity can be leaked.
Tractor8626
Author doesn't understand problem space at all.
1) Weak passwords are not ok even on throw-away accounts. Just because you have no use for it, doesn't mean nobody has. Sending spam, or impersonating you or some other creative use.
2) Nobody is going to bruteforce your password. We don't use md5 anymore. You password will get stolen. By phishing, malware, social engineering, password reuse etc.
arkh
> Just because you have no use for it, doesn't mean nobody has.
Lot of websites you'll visit once per decade (maybe) still ask for account. Or things like the software you get to manage your gaming peripherals which nowadays all ask for an account for no reason.
Those accounts getting hacked? I don't care. So they all get a shitty birthday password if they accept it. If they prefer to use some stupid "X uppercase, Y lowercase, Z numbers, some special characters" I'll make a new account next time because I'm not using a real email. Or just stop there.
wvh
That is your perspective. Not that of the site owner, or the internet at large, victim to any abuse somebody unkind can unleash.
Security is a bit like traffic. If you're alone in the world, you do you. But you are not alone, you have a responsibility to others, be it passers by, fellow travellers or those loved ones depending on you making it back alive.
ss64
If a new account has that much power to abuse the system, then your problem is not the 2FA security. They don't need to crack your account, a bad actor could just create a new account for themselves.
Macha
> That is your perspective. Not that of the site owner, or the internet at large, victim to any abuse somebody unkind can unleash.
Frankly, in a lot of these cases the site owner (e.g. Razer) has already decided to put their interest ahead of mine by requiring accounts to e.g. configure peripherals locally so they have can harvest sign ups for their marketing lists or tell investors they have XXX MAUs. I don't care if my password choice inconveniences them in turn.
autoexec
> Weak passwords are not ok even on throw-away accounts.
They can be okay for throw-away accounts, it just depends on the circumstance.
> Nobody is going to bruteforce your password.
I can assure that there are still people brute forcing passwords. I see it happening all the time, especially for SSH accounts. While you are correct that phishing and password reuse are problems, they are also not totally solved by using 2FA.
TeMPOraL
> 1) Weak passwords are not ok even on throw-away accounts. Just because you have no use for it, doesn't mean nobody has. Sending spam, or impersonating you or some other creative use.
Why should that be my problem? It reeks of the same bait-and-switch that banks are doing, with calling failures of their lax KYC/security process "identity theft", calling themselves the victim, and making the actual victim responsible for it.
croes
Depends on the purpose of the account.
For instance this requires an account
null
einr
By your own argument, if no one is going to bruteforce your password, what then is the issue with a weak password?
Jnr
Password lists are full of weak passwords. You don't brute-force the password, you use a password list instead.
notpushkin
Potato, potato. Does anybody really say “bruteforce” not meaning a dictionary attack?
giantrobot
Credentials stuffing. Attackers can spam a site with logins with common passwords. Too few sites implement good mitigations against this because it's easy to block/lock legitimate users that typoed a password.
edent
Password re-use is the bigger issue.
No one can crack your super-strong multilingual password. But if a service accidentally leaks it, then it doesn't matter.
Credential Stuffing is how 23andMe were hacked. People reused password, they were leaked from another service, attackers tried them on a variety of sites until they hit the jackpot.
Unique passwords prevent that attack. Can't remember a thousand different passwords? Use a manager.
Don't want to use a manager? Switch on 2FA. Weak passwords and password reuse ceases to be a problem.
Yes, as the article points out, it slightly reduces ease of login. But that seems like a sensible trade off.
autoexec
> Yes, as the article points out, it slightly reduces ease of login. But that seems like a sensible trade off.
In addition to making the login process more complicated 2FA can also introduce privacy concerns. A third party authenticator app can collect all kinds of data for it's own reasons (just look at the permissions MS's app wants) and that 3rd party could also track what services you log into, when, and how often.
2FA can also cause you to be locked out of our accounts, either temporarily or forever.
benoliver999
I would advise against password re-use regardless of 2FA.
- Lots of flaky 2FA implementations out there where it's easy to get in without it, if you have the password
- If a service doesn't offer 2FA you are now unable to use it for fear of sharing your password (like this website)
I suppose logically if your email is 2FA, then someone can't do 'forgot password', but man that feels super flaky.
freeone3000
Gmail “magic link” login (which is the reset password flow, but without needing the password) is the same security profile as Google OAuth, while exposing less user data (name and profile are nonoptional) — and also equivalent to an Android-managed passkey.
PinguTS
There is another issue with all those growing 2FA/MFA protected accounts: managing your unexpected death.
How do you teach your beloved ones to access your accounts. And they need to remember what to do. For some accounts may it doesn't matter. For others that means to be able to end the subscription. Because not all subscriptions are associated with a credit card, which just expires.
But if you allow to contact a company by a third party to cancel and or change things then this becomes the go to for social engineering.
croes
Isn’t the device to access the password manager mostly the same device used for 2FA?
I hope most people use a password manager.
dewey
Most people are just storing them in the browser but that’s not stopping people from coming up with easy to guess passwords.
pests
Services like FB have the concept of a legacy contact, an account that can manage your page after death. Also the concept of your profile switching to a memorial page, with your legacy contact doing moderation of posts.
I did the math years ago and even back then, thousands of users would pass daily and now with most of the world population on FB it probably comes in handy.
TimJRobinson
I thought he was going to mention the stupidity of sites like Twitter that when you add SMS as a 2FA option you can now use that to bypass the password and so are vulnerable to sim hijacking, which given how incompetent phone company employees are makes your security weaker.
Always use an authenticator app or physical key, most sites that do SMS 2FA will then allow hackers to use it to bypass knowing your password.
latexr
> Because security is not only about being protected from intrusion, but also about being able to securely access data at any time and in any circumstances.
This felt like the author bending over backwards to justify their choice. They find 2FA less convenient and conflate it with being less secure. It’s not the same thing.
It’s OK to say “not all my accounts are equally important and I need to access some of them in situations where 2FA and complex passwords aren’t worth it”. It’s not OK to sell the idea that 2FA does not generally offer security.
This reminded me of the “SEO expert” a few years back which was trying to convince everyone, with wrong information, to not use HTTPS (which, I realise only after writing this, the author’s website also doesn’t use).
Spooky23
Security is about risk management. If the value of what you’re protecting is low, or the consequences of not accessing something is high, than the MFA control may not add value.
The problem is in general people are really bad at assessing risk. You tend to see extremes.
guappa
If we define data that can't be accessed by anyone as secure, throwing disks in a furnace is how you achieve security.
I don't think this definition is very helpful though. So I prefer the one where the entities that need to have access still can access.
latexr
> I don't think this definition is very helpful though.
Because it’s a straw man, and straw men aren’t helpful for discussion. No one is suggesting making data wholly inaccessible.
Data that you cannot access “at any time and in any circumstances” (author’s words) can still be secure. A fairer analogy would have been storing disks in a locked safe in your home. It’s not as convenient to access it, but it is secure. Should you do that for all your data? No, but neither have I advocated for that. I very clearly stated that I think it’s OK to have different levels of protection for different types of data.
foreigner
This assumes that services are handling your password responsibly and not e.g. storing it in clear text in a public S3 bucket, which in practice happens all the time.
BlackFly
Actually, the author is assuming that you will generate a password like `Password123!` for an obviously fly-by-night company and use a password manager for other websites of medium trust, the author states as much. My reading of his suggestion is that the memorized passwords are used for things like ssh or possibly logins on laptops/pcs. Some people have a good instinct for such things.
This is quite reasonable.
- Useless passwords for useless websites that needlessly require accounts. - Autogenerated passwords for websites of infrequent use that you don't need to trust much. - Memorized passwords for logins of high importance that you need to trust.
Since we only have so much capacity to memorize a password, the idea of reusing a password for the few high importance logins you have can be quite reasonable.
wobfan
I'm just asking myself, why not use the Password generator + manager always if you have it installed either way. I've also used some of my digit-only 8-char passwords for some websites where I'm just indifferent about people logging into my account, but usually I just use the PW manager. It take maybe 1-2 more clicks, but more importantly, it saves me from the website saying "ohhh noooo please add a special character", and then "ohhhh sorry but theres no upper case character", blah blah.
By always using the PW manager I have a clear and standard route of registering accounts that is not a lot more work, is way more safe by default, and also can save time if at some point in 2 years you want to log in again, because of some random event. Sure, email reset would be possible, but that takes time again.
Another counter-argument against the article in general, at least in my opinion: while 2FA adds a time consuming step to the login, it happens rarely. I use a lot of services and usually always enable 2FA if it has even a single bit of personal or critical data. But as soon as I'm logged in, the access tokens or refresh tokens are valid for such a long time that I rarely have to do the 2FA challenge again.
bolobo
I use a laptop, desktop PC, phone, and 2 tablets at home. Another PC and laptop and tablet when I visit my parents. Not all of them are mine, and it is _very_ annoying to have to login to a website on them. You have to go through the unlock flow on your own device (long and complicated password) to access the password, and then copy the site-specific password (usually long and complicated) to the new device.
It is a giant pain. I can understand why people wouldn't want to go through it.
arkh
> It take maybe 1-2 more clicks
1-2 clicks here, a couple there, and a click heavy UI. Welcome to the clickodrome, where your patience is tested to its limits.
Why do people click on everything without reading? Because you trained them to.
bradley13
He's not wrong. I use a password manager that stores passwords only locally, not in the cloud. I can generate arbitrarily complex passwords and never have to worry about how hard they are to type or remember.
2FA makes my workflow significantly more difficult. As a result, for non-critical sites, I have started allowing the browser to store my passwords, thus relying on the 2FA-authenticator for security. This result is likely less secure overall, since the browser's password storage could realistically be compromised.
That said, I do have to acknowledge the point in another comment that phishing may be the bigger threat. Log into a fake site with a password but no 2FA, and you are toast.
postalrat
What is the difference between a secure password synced with a password manager and a cookie that doesn't expire synced with a browser or extension? I don't see much difference so why bother even having a password?
fmajid
This is compounded by the fact most 2FA implementations are security theater not phishing-resistant, the sole exception being FIDO2/Webauthn (e.g. Yubikeys), and Passkeys, but passkeys are really single-factor authentication. Both FIDO and passkeys have serious usability challenges, though.
What's worse, the most common scheme, SMS-based authentication can lead to denial of service, e.g. you are roaming and do not have access to texts, or have your account SIM-jacked as this seems to be very popular way to steal people's cryptocurrencies.
autoexec
Passkeys can't always protect an account against phishing either (https://cyberpress.org/passkeys-with-aitm-phishing-attacks/) they just make it more difficult for scammers.
bradley13
This. In theory, passkeys should be great. Sort of an SSH-for-the-masses.
Unfortunately, the industry has mangled the implementation, making them basically useless.
dcow
Funny how that always happens. Passkeys were supposed to be great and what you ended up with is platform players abusing their position to push lock in to their own passkey solutions over fair access to arbitrary 3rd party providers.
When they do work smoothly they aren’t useless though.
gclawes
Android has been surprisingly awesome with cross-platform passkeys (i.e. google lets you use BitWarden/1Password/etc pretty transparently).
Anything Apple related is another story...
There's some good movement in the linux desktop space I'm excited about: https://github.com/linux-credentials/linux-webauthn-platform...
Spivak
I mean they're not totally useless, in the current implementation they just can't replace passwords. I have a bunch of passkeys in my Bitwarden and they function as a "log in bypassing the 2FA screen" button. I get to skip the "we sent a code to your phone/email/butthole" flow.
_dain_
>you are roaming and do not have access to texts
I truly despise this. It effectively disenfranchises people for living outside of areas with good mobile coverage. Banks or utility payments or parking meters(!) or whatever should not be gated behind cellphone reception. Nevermind people who can't use a phone at all ...
Aardwolf
Plus many want your phone number or some random app by them on your phone for their 2FA (instead of e.g. TOTP that you contol), less secure because they now can leak your phone number or do something with an update to the app
BTW what's the sentiment on passkeys?
account-5
In my opinion passkeys, whilst solving the password related issues, introduce their own. The risk of losing access to your accounts is greater if you tie everything to one device and that's lost or stolen, and the "solution" to use more than one device is not a solution, or feasible for everyone. There's also the risk of vendor lock-in, which is definitely an aim of the big providers like Apple, Google and Microsoft; which is a bigger risk to those less tech savvy.
dcow
FWIW no consumer implementation of passkeys is device bound for exactly this reason. The threat of a user losing a device is much bigger and pressing than getting phished. All passkeys are backed up in a sync fabric.
jampekka
Most consumer passkey implementations are lock-in. https://arstechnica.com/security/2024/12/passkey-technology-...
gclawes
You _can_ use a standalone YubiKey or similar dedicated hardware tokens as a passkey, but they have limited slots for discoverable credentials.
But yeah, anything resembling a phone passkey seems to have a sync fabric behind it.
perlgeek
There are really two aspects two 2FA:
1: you as a user might want to protect your account
2: A website provider wants to secure their own business
If it's about 1, then the argument "I don't reuse passwords" hold some water. It doesn't protect you from somebody getting access to a plaintext copy of your requests (for example on the load balancer that terminates the TLS), but that's only a small part of potential attack surfaces.
But from the perspective the website owner, they might suspect that many of their users reuse passwords between sites. 2FA is a great defense against that, and also against brute force attempts.
> I never spell it out, let alone write it down, but it is in my muscle memory as I haven't changed it for years. There is no way someone on the internet can break into my ssh account or gmail account protected by such a password.
Oh dear. The issue isn’t the brute force, it’s that the online services leak and get cracked. And in an instant a single script takes the newly discovered username password combo and starts hammering it into the top 10000 websites, all within moments of the leak data becoming available.
Your super secret favourite phrase is worth crap once leaked alongside your email address.
Further don’t choose Microsoft for your Auth app, Go with an open source option, maybe one that encrypts and syncs so you have multiple devices just in case.