While true, other scenarios do come into play, like “I’m using a FIDO key but I dropped it down a storm drain”. Meaning you pretty much have to provide some recovery mechanism, since you can’t really require the user to have a backup device.
Indeed, but some “security” guys frown deeply about the private key ever leaving a specific hardware device, because the second it can be backed up they freak out that it could, theoretically, be stolen. It’s hardly a practical concern, but there’s a lot of security people that don’t care about practical considerations.
I see it more neutrally - the concern isn’t wrong after all. Security is always to be balanced against convenience.
I consider being locked out for good so inconvenient that I’m willing to sacrifice a bit of security to avoid it. But everyone has to find what works best for them.
SMS based 2FA isn’t recommended and with an authenticator/hardware token your scenario is not a problem.
While true, other scenarios do come into play, like “I’m using a FIDO key but I dropped it down a storm drain”. Meaning you pretty much have to provide some recovery mechanism, since you can’t really require the user to have a backup device.
That’s why I don’t use hardware tokens. They are more secure but they can break or get lost/stolen. My authentication app supports backups.
Indeed, but some “security” guys frown deeply about the private key ever leaving a specific hardware device, because the second it can be backed up they freak out that it could, theoretically, be stolen. It’s hardly a practical concern, but there’s a lot of security people that don’t care about practical considerations.
I see it more neutrally - the concern isn’t wrong after all. Security is always to be balanced against convenience.
I consider being locked out for good so inconvenient that I’m willing to sacrifice a bit of security to avoid it. But everyone has to find what works best for them.
That’s why it is called multi-factor