{"id":36484,"date":"2022-07-12T15:30:01","date_gmt":"2022-07-12T19:30:01","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=36484"},"modified":"2022-07-12T19:29:28","modified_gmt":"2022-07-12T23:29:28","slug":"multi-factor-authentication-recovery-distrust","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/07\/12\/multi-factor-authentication-recovery-distrust\/","title":{"rendered":"Multi-Factor Authentication Recovery Distrust"},"content":{"rendered":"

Chris Siebenmann<\/a> (Hacker News<\/a>):<\/p>\n

But both of these situations have some things in common. I can actually talk to real people in both situations, and both have out of band means of identifying me (and communicating with me).<\/p>

Famously, neither of these is the case with many large third party websites, which often have functionally no customer support and generally no out of band ways of identifying you (at least not ones they trust). If you (I) suffer total loss of all of your means of doing MFA, you are probably completely out of luck. One consequence of this is that you really need to have multiple forms of MFA set up before you make MFA mandatory on your account (better sites will insist on this).<\/p>

[…]<\/p>

More broadly, this is a balance of risks issue. I care quite a bit about the availability of my accounts, and I feel that it’s much more likely that I will suffer from MFA issues than it is that I will be targeted and successfully phished for my regular account credentials (or that someone can use ‘account recovery’ to take over the account). If loss of MFA is fatal, my overall risks go way up if I use MFA, although the risk of account compromise goes way down.<\/p><\/blockquote>\n

It seems like most sites that use two-factory authentication don’t offer recovery codes.<\/p>\n\n

Previously:<\/p>\n