I'm ok with 2 factor, but the reliance on text messaging needs to end. For one it's not secure. Two, cell service isn't always available whereas an internet connection may still be.
this post was submitted on 16 Jul 2025
32 points (76.7% liked)
Unpopular Opinion
7683 readers
12 users here now
Welcome to the Unpopular Opinion community!
How voting works:
Vote the opposite of the norm.
If you agree that the opinion is unpopular give it an arrow up. If it's something that's widely accepted, give it an arrow down.
Guidelines:
Tag your post, if possible (not required)
- If your post is a "General" unpopular opinion, start the subject with [GENERAL].
- If it is a Lemmy-specific unpopular opinion, start it with [LEMMY].
Rules:
1. NO POLITICS
Politics is everywhere. Let's make this about [general] and [lemmy] - specific topics, and keep politics out of it.
2. Be civil.
Disagreements happen, but that doesn’t provide the right to personally attack others. No racism/sexism/bigotry. Please also refrain from gatekeeping others' opinions.
3. No bots, spam or self-promotion.
Only approved bots, which follow the guidelines for bots set by the instance, are allowed.
4. Shitposts and memes are allowed but...
Only until they prove to be a problem. They can and will be removed at moderator discretion.
5. No trolling.
This shouldn't need an explanation. If your post or comment is made just to get a rise with no real value, it will be removed. You do this too often, you will get a vacation to touch grass, away from this community for 1 or more days. Repeat offenses will result in a perma-ban.
6. Defend your opinion
This is a bit of a mix of rules 4 and 5 to help foster higher quality posts. You are expected to defend your unpopular opinion in the post body. We don't expect a whole manifesto (please, no manifestos), but you should at least provide some details as to why you hold the position you do.
Instance-wide rules always apply. https://legal.lemmy.world/tos/
founded 2 years ago
MODERATORS
What's the difference between an unpopular opinion and a wrong opinion?
Without MFA, hundreds of thousands more accounts if not millions would be completely compromised. That is just a fact because most people choose horrible and/or completely the same password for everything. Bank account details, credit card info, social security or government ID numbers, etc...
It doesn't have to be as bad as email or SMS. TOTP has been a standard for a very long time and there are a dozen apps for it. Simply enter the app, copy the code, done. SMS and email are less secure anyways.
American companies seem particularly allergic to TOTP for some reason...
I look at it more like, if you are going to require MFA, why require passwords as part of login?
Multi Factor Authentication (MFA) : using multiple authentication factors to validate a user is who they say they are and grant access
Auth factors:
Something you know: is in your head. Password, PIN, etc
Something you have: credit card, hardware token (yubikey, mag stripe, etc), software token (auth, MS authenticator, etc)
Something you are: biometrics.
Somewhere you are: location based (IP, geo location, geo fence, etc)
Any one method is vulnerable to compromise. By using two separate FACTORS (aka MFA) you vastly reduce risk that you will be compromised.
Using a password and PIN is NOT MFA because they're both the same auth factor.
Using just a token is NOT MFA because it's only one auth factor.
I get that only using a token isn't MFA. I'm just questioning why MFA is a thing if the major issue is really bad password security.
Bad password security is a human problem (can be back end bad practices also, but mostly human) whereas only using one auth factor is a security design problem. Again, MFA bad, single auth not good (but sometimes sufficient)
Also many people aren't comfortable with auth apps yet and way less are comfortable with hardware tokens.
Passwords, while often implemented poorly by humans, aren't something you can easily LOSE like your phone or a set of keys.
Many logins don't really need very good security, like who cares if my lemmy login gets compromised I don't want MFA here. Some might, I don't. I still use a password manager but still, just a password is fine.
I dropped a credit union because they don't allow MFA for online banking at ALL however, which is outrageous in 2025.
Because that's an authentication factor?
Yes, but there are a lot of people arguing here about how bad passwords are because they get leaked and you need so many of them that it is a struggle for people to remember them. So, if passwords are so bad, why should they be maintained as a method of authentication?
They're not really that bad, lots of people are just bad at using them. A lot of breaches happen because someone gets lazy and uses a default or something stupidly simple like what you'd use on your luggage.
Yeah, but people have several dozen accounts, passwords have to change on some of them, and it used to be very discouraged to write passwords down so people needed to remember them.
A system has created where there are massive failures in its use because it was poorly implemented.
Then you need to know 2 different codes.
They would need to hack the server password database or your password app AND have physical access to your device.
It is the same concept as using biometric + TOTP or password.
Something you have, something you know, something you are: those are the 3 general "factors"
I think this is highly dependent on what you're logging into.
Bank account? Please require both. Some account on a random store website? Could not care less about security, I just want to buy socks.
You provide something you know (password) and something you have (random code) or something you are (biometric). This is really far safer.
Honestly, I think not having MFA required for any account anywhere ever is bad practice. As others have mentioned MFA is something you know, something you own, something that's you, and somewhere you are. Password or pin, phone or digital key, biometric like a fingerprint or face, geolocation or IP address. Having more than one of these things makes getting into your account harder. If you only need a password, then that's all someone needs to figure out to get into your account, same with all the other examples. I feel like it's pretty straight forward, but I tried my best to explain why we do need both...
If you run a server with thousands of users interacting with each other and someone gains access to all their accounts, what's the harm? I don't care if someone gets access to what I have access to through the account on x website, so it doesn't matter right? Well what if real user accounts were used as bots to push propaganda or silence a competitor, damaging the community you're hosting on your server, or posting bad reviews on products, etc. you lose trust in that community or website.
Idk, to me, there is a bigger picture that requiring secure accounts produces, and I think it helps me have more trust in the website I'm joining and want to be part of. It's just about helping ensure genuine interactions, it'd be nice if it was guaranteed, but it at least helps me feel assured.
tldr; MFA is important for securing the things inside of an account, but it's also important for creating confidence and trust in who or what you're interacting with on a website.
Password databases will be leaked. That's just a fact of the world today.
2fa allows you to have either one of your login methods fail without your account getting compromised.
It sucks but I don't know of a better system (other than physical cryptographic keys which is not going to be an option for most consumers)
Bad idea.
Lets say you get your way and you have an username or phone number that identifies you and only your phone client that authenticates you. If I can get your username/phone number, I can try to log into your account from my device. I can either just spam you incessantly until you accidentally authorize my device, or I can be very stealthy and when you are logging in from your device, I'll immediately send a request my own. You will authorize my device thinking its the one you're logging into.
Especially when They're already in there, mining every iota with impunity. 🤷🏼♂️
Phone verification is a KYC tool... Never do it unless it is a critical service.